The AnalyticDB for MySQL service authenticates the sender identity of each access request. Therefore, each request must contain signature information, regardless of whether requests are sent through HTTP or HTTPS.

Background information

AnalyticDB for MySQL implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID and AccessKey secret are issued to you by Alibaba Cloud. You can apply for and manage them on the Alibaba Cloud website. The AccessKey ID is used to verify your identity, whereas the AccessKey secret is used to encrypt and verify the signature string on the server. The AccessKey secret must be kept confidential and only be known to Alibaba Cloud and you.

To calculate a signature, perform the following steps:


  1. Use the request parameters to construct a canonicalized query string.
    1. Sort all request parameters (including the common request parameters described in the "Common parameters" topic and the operation-specific parameters, but excluding the Signature parameter) in the lexicographic order of parameter names.
      Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The request parameters in the URL are placed after a question mark (?) and separated with ampersands (&).
    2. Encode the name and value of each request parameter. The parameter names and values must be URL-encoded in UTF-8 based on the following encoding rules:
      • Uppercase letters, lowercase letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      • Encode other characters into the %XY format. XY is the hexadecimal value of the ASCII code corresponding to a character. For example, a double quotation mark (") is encoded as %22.
      • Extended UTF-8 characters are encoded in the %XY%ZA... format.
      • Encode a space as %20 instead of a plus sign (+).
      Note Most libraries that support URL encoding, such as, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of "application/x-www-form-urlencoded". If you use this encoding method, replace each plus sign (+) with %20, each asterisk (*) with %2A, and %7E with a tilde (~).
    3. Concatenate the encoded parameter names and values by using equal signs (=).
    4. Sort the key-value pairs connected by equal signs (=) in alphabetical order and separate them with ampersands (&) to obtain the canonicalized query string.
  2. Use the canonicalized query string to construct the string for signature based on the following rules:
    StringToSign = HTTPMethod + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)                 


    • HTTPMethod: indicates the HTTP method used to submit the request, such as GET.
    • percentEncode("/"): indicates the encoded value for the forward slash (/) based on the URL encoding rules described in the preceding step, which is %2F.
    • percentEncode(CanonicalizedQueryString): indicates the encoded string for the created canonicalized query string based on the URL encoding rules described in the preceding step.
  3. Calculate the hash-based message authentication code (HMAC) value of the string-to-sign as defined in RFC 2104.
    Note An ampersand (&) is added to the end of the key (ASCII: 38). The hashing algorithm used is SHA-1.
  4. Use Base64 to encode the HMAC value into a string. This encoded string is the signature.
  5. Add the signature string to the request as the Signature parameter.
    Note The obtained signature string must use RFC 3986 URL encoding like other parameters before it can be submitted to the DNS server as the final request parameter value.

    For example, the request URL without a signature for the DescribeDBClusters operation is:                

    The constructed StringToSign string is:


    Assume that the AccessKey ID is "testid", the AccessKey secret is "testsecret", and the key used for HMAC calculation is "testsecret&". The calculated signature string is uRpHwaSEt3J+6KQD//svCh/x+pI=.

    The following example shows the request URL with the Signature parameter: