Signature method - API Reference| Alibaba Cloud Documentation Center

Overview

To sign a RESTful API request, add the Authorization field to the request header in the following format:

Authorization:acs:AccessKeyId:Signature

acs: the abbreviation for Alibaba Cloud Service. This is a fixed field and cannot be modified.
AccessKeyId: the AccessKey ID that is used to call the API.
Signature: the signature generated after the request is symmetrically encrypted by using the AccessKey secret.

Signature calculation

The signature algorithm complies with the HMAC-SHA1 specifications in RFC 2104. The AccessKey secret is used to calculate the Hash-based Message Authentication Code (HMAC) value of an encoded and formatted query string. The HMAC value is then used as the signature. Some parameters in a request are used to calculate the signature. Therefore, the signature of a request varies based on the API request parameters.

Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )

To calculate a signature, perform the following steps:

Compose a string-to-sign.

A string-to-sign is a string assembled by using the elements in an API request. The string is used to calculate the signature and contains the following elements:

HTTP headers
Canonicalized headers of Alibaba Cloud (CanonicalizedHeaders)
Canonicalized resource (CanonicalizedResource)
Body

A string-to-sign must be created in the following format:

StringToSign = 
       //HTTP headers
        HTTP-Verb + "\n" +
        Accept + "\n" +
        Content-MD5 + "\n" +//The request body encrypted by using the MD5 algorithm. Content-Type + "\n" +
        Date + "\n" +
       //Canonicalized headers of Alibaba Cloud (CanonicalizedHeaders).
        CanonicalizedHeaders +
       //Canonicalized resource (CanonicalizedResource).
        CanonicalizedResource

Sample original requests:

POST /stacks? name=test_alert&status=COMPLETE HTTP/1.1
Host: ***.aliyuncs.com
Accept: application/json
Content-MD5: ChDfdfwC+Tn874znq7Dw7Q==
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Date: Thu, 22 Feb 2018 07:46:12 GMT 
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method: HMAC-SHA1
x-acs-signature-version: 1.0
x-acs-version: 2016-01-02

Sample canonicalized requests:

POST
application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2016-01-02
/stacks? name=test_alert&status=COMPLETE

Add the signature string.
Add the calculated signature in the following format to the request header:

Authorization: acs AccessKeyId:Signature

HTTP headers

HTTP headers in a string-to-sign must contain the following parameters. Parameters must be arranged in alphabetical order. If a parameter has no value, set the value to \n.

Accept: the response type required by the client. Valid values: application/json and application/xml.
Content-MD5: the Base64-encoded 128-bit MD5 hash value of the request body.
Content-Type: the type of the HTTP request body defined in RFC 2616.
Date: the GMT time specified in HTTP 1.1. For example, Wed, 05 Sep. 2012 23:00:00 GMT.

Notice You do not need to specify your AccessKey pair in the HTTP header.

Sample original headers:

Accept: application/json
Content-MD5: ChDfdfwC+Tn874znq7Dw7Q==
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Date: Thu, 22 Feb 2018 07:46:12 GMT

Sample canonicalized headers:

application/json
ChDfdfwC+Tn874znq7Dw7Q==
application/x-www-form-urlencoded;charset=utf-8
Thu, 22 Feb 2018 07:46:12 GMT

Canonicalized headers of Alibaba Cloud (CanonicalizedHeaders)

Canonicalized headers are non-standard HTTP headers of Alibaba Cloud. The parameters are prefixed with x-acs- in a request. A request must contain the following parameters:

x-acs-signature-nonce: a unique, random number used to prevent replay attacks. You must use different random numbers for different requests.
x-acs-signature-version: the version of the signature encryption algorithm. Set the value to 1.0.
x-acs-version: the version number of the API. For more information, see the API documentation of each service.

To compose canonicalized headers of Alibaba Cloud, perform the following steps:

Convert the names of all HTTP request headers prefixed with x-acs- to lowercase letters. For example, convert X-acs-OSS-Meta-Name: TaoBao into x-acs-oss-meta-name: TaoBao.
Arrange all HTTP request headers that are obtained from the preceding step in alphabetical order.
Delete all spaces on each side of a delimiter between the request header and its content. For example, convert x-acs-oss-meta-name: TaoBao,Alipay into x-acs-oss-meta-name:TaoBao,Alipay.
Separate all headers and content with delimiters (\n) to form the final canonicalized headers.

Sample original headers:

x-acs-signature-nonce: 550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method: HMAC-SHA1
x-acs-signature-version: 1.0
x-acs-version: 2016-01-02GMT

Sample canonicalized headers:

x-acs-signature-nonce:550e8400-e29b-41d4-a716-446655440000
x-acs-signature-method:HMAC-SHA1
x-acs-signature-version:1.0
x-acs-version:2016-01-02

Canonicalized resource (CanonicalizedResource)

CanonicalizedResource represents the specification description of the resource to be accessed. Arrange sub-resources along with query parameters in alphabetical order and separate them with ampersands (&) to generate a sub-resource string. The sub-resource string consists of all parameters that follow the question mark (?).

Sample original requests:

/stacks? status=COMPLETE&name=test_alert

Sample canonicalized requests:

/stacks? name=test_alert&status=COMPLETE

Body

Encrypt the request body by using the MD5 algorithm, encode the request body in Base64, and add the Base64-encoded string to the Content-MD5 parameter.