ApsaraDB for ClickHouse performs identity verification on each access request. Therefore, all HTTP and HTTPS requests must contain signature information.

ApsaraDB for ClickHouse implements symmetric encryption by using an AccessKey pair to verify the identity of the request sender. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. AccessKey pairs are issued by Alibaba Cloud. You can visit the Alibaba Cloud International site (alibabacloud.com) to apply for and manage an AccessKey pair. The AccessKey ID is used to verify the identity of the user, whereas the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.

To sign a request, perform the following steps:

  1. Create a canonicalized query string by using request parameters.
    1. Arrange the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note If you use the GET method to send a request, the request parameters are included in the request URL. The request parameters in the URL are placed after a question mark (?) and separated by ampersands (&).
    2. Encode the name and value of each request parameter. The parameter names and values must be URL-encoded in UTF-8 based on the following encoding rules:
      • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      • Other characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      • Extended UTF-8 characters are encoded in the %XY%ZA...format.
      • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
        Note Most libraries that support URL encoding, such as java.net.URLEncoder, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of "application/x-www-form-urlencoded". If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with a tilde (~) to conform to the encoding rules.
    3. Connect the encoded parameter names and values by using equal signs (=).
    4. Sort the key-value pairs connected by equal signs (=) in alphabetical order and separate them with ampersands (&) to obtain the canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:
    StringToSign= HTTPMethod + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)                 


    • HTTPMethod: the HTTP method used to send a request, such as GET.
    • percentEncode("/"): the encoded value of a forward slash (/) based on the URL encoding rules described in Step 1.ii. The encoded value is %2F.
    • percentEncode(CanonicalizedQueryString): the string encoded by using the canonicalized query string created in Step 1. The encoding follows the URL encoding rules described in Step 1.ii.
  3. Calculate the HMAC value of the string-to-sign as defined in RFC 2104.
    Note The key used for signature calculation is the combination of your AccessKey secret and an ampersand (&) (ASCII 38). Secure Hash Algorithm 1 (SHA1) is used as the hash algorithm.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the Signature parameter.
    Note The obtained signature string must be URL-encoded as defined by RFC 3986 like other parameters before it can be submitted to the Domain Name Service (DNS) server as the final request parameter value.
    The following URL is the request URL without a signature for the DescribeDBClusters operation:

    The following string is the string-to-sign:


    Assume that the AccessKey ID is testid and the AccessKey secret is testsecret. Then, the key used to calculate the HMAC value of the signature is testsecret&. The calculated signature string is uRpHwaSEt3J+6KQD//svCh/x+pI=.

    The following URL is the signed request URL after the signature string is added to the request as the Signature parameter: