You must sign all API requests to ensure security. Alibaba Cloud uses the request Signature to verify the identity of the API caller. When you call an API by using HTTP or HTTPS, the request must contain the signature information.

Overview

To call the RESTful API, add the following fields in the API Request Header: Authorization parameter.

Authorization:acs:AccessKeyId:Signature
Edit the code as follows:
  • ACS: the abbreviation of the Alibaba Cloud Service. The fixed identifier cannot be modified.
  • AccessKeyId: the secret key ID that the caller uses to call the API.
  • Signature: specifies the signature that is used to symmetrically encrypt a request.

Signature method

The signature algorithm follows the RFC 2104 HMAC-SHA1 rules. The AccessKeySecret is used to calculate the HMAC value of the encoded and sorted request string as a signature. Different APIs contain different request parameters, which results in different signatures.

Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )
To calculate a signature, perform the following steps:
  1. Construct a complete string to be signed (StringToSign).
    The StringToSign is a string assembled by using relevant elements in an API request. It is used to calculate the signature and contains the following elements:
    • HTTP headers
    • Alibaba Cloud protocol headers (CanonicalizedHeaders)
    • Canonicalized resource (CanonicalizedResource)
    • Body

    The StringToSign must be created in the following format:

    StringToSign = 
           // HTTP Header
            HTTP-Verb + "\n" +
            Accept + "\n" +
            Content-MD5 + "\n" + // put the MD5 value of the Body
            Content-Type + "\n" +
            Date + "\n" +
           // Alibaba Cloud protocol Header(CanonicalizedHeaders)
            CanonicalizedHeaders +
           // How to include CanonicalizedResource in signatures (resource specification)
            CanonicalizedResource

    Example of an original request:

    POST /stacks? name=test_alert&status=COMPLETE HTTP/1.1
    Host:***.aliyuncs.com
    Accept:application/json
    Content-MD5:ChDfdfwC+Tn874znq7Dw7Q==
    Content-Type:application/x-www-form-urlencoded;charset=utf-8
    Accept-Encoding:identity
    Date:Thu, 22 Feb 2018 07:46:12 GMT 
    x-acs-signature-method:HMAC-SHA1
    x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
    x-acs-signature-version:1.0
    x-acs-version:2020-04-20

    Example of a string to be signed:

    POST
    application/json
    ChDfdfwC+Tn874znq7Dw7Q==
    application/x-www-form-urlencoded;charset=utf-8
    Thu, 22 Feb 2018 07:46:12 GMT
    x-acs-signature-method:HMAC-SHA1
    x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
    x-acs-signature-version:1.0
    x-acs-version:2020-04-20
    /stacks? name=test_alert&status=COMPLETE
  2. Calculate a signature.

    Add the calculated signature to the request Header in the following format:

    Authorization: acs AccessKeyId:Signature

HTTP headers

The signature calculation must contain the following parameters. Parameters must be sorted in alphabetical order. If a parameter has no value, replace it with "\n".

  • Accept the type of the response to be returned on the client. Valid values: application/json | application/xml.
  • Content-MD5 the base64-encoded 128-bit MD5 hash value of HTTP message body.
  • Accept-Encoding: the Accept-Encoding in the HTTP Header is sent to the server by the browser, which declares the Encoding type supported by the browser.
  • Content-Type: the HTTP request content type defined in RFC 2616.
  • Date: HTTP 1.1 The GMT specified in the agreement. Example: Wed, 05 Sep. 2012 23:00:00 GMT.
    Note The Key of the parameter is not converted during signature calculation.
Example of an original Header:
Accept:application/json
Content-MD5:ChDfdfwC+Tn874znq7Dw7Q==
Content-Type:application/x-www-form-urlencoded;charset=utf-8
Accept-Encoding:identity
Date:Thu, 22 Feb 2018 07:46:12 GMT
Example of a canonicalized Header:
application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT

Alibaba Cloud protocol headers (CanonicalizedHeaders)

The Alibaba Cloud standard header, a non-standard HTTP header, is used in a request to x-acs- is a parameter with a specified prefix. A request must contain the following parameters:
  • x-acs-signature-nonce: a unique, random number used to prevent replay attacks. A different random number is required for each request.
  • x-acs-signature-version: the version of the signature encryption algorithm. Set the value to 1.0.
  • x-acs-version: API version, Message Queue for MQTTthe version number of IS 2020-04-20.

To construct Alibaba Cloud canonicalized headers, perform the following steps:

  1. Header field names starting with x-acs- must be in lowercase. Such as Will x-acs-OSS-Meta-Name: TaoBao convert to x-acs-oss-meta-name: TaoBao.
  2. Sort HTTP headers in ascending lexicographic order.
  3. Delete any space between the header field names and values. Such as Will x-acs-oss-meta-name: TaoBao,Alipay convert to x-acs-oss-meta-name:TaoBao,Alipay.
  4. Separate all headers and contents with the "\n" separator to form the final CanonicalizedHeaders.

Example of an original Header:

x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version: 2020-04-20GMT

Example of a canonicalized Header:

x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2020-04-20

Canonicalized resource (CanonicalizedResource)

CanonicalizedResource represents the specification description of the resource you want to access, you need to combine sub-resources and query parameters are arranged in ascending order of lexicographic order and separated with ampersands (&) to generate a sub-resource string.? The sub-resource string consists of all parameters following the question mark (?).

Example of an original request:
/stacks? status=COMPLETE&name=test_alert
Example of a canonicalized request:
/stacks? name=test_alert&status=COMPLETE

Body

Use the MD5 algorithm to encrypt the request Body, perform Base64 encoding, and add the result to the content-MD5 in.