Signature mechanism

Last Updated: Apr 11, 2017

Description

The Access Key ID and Access Key Secret are officially issued to you by Alibaba Cloud (you can apply for and manage them on the Alibaba Cloud website). The Access Key ID indicates your identity. The Access Key Secret is the key used to encrypt a signature string and to verify the signature string on the server side. You must keep it confidential.

The Container Service verifies each access request it receives; therefore, all requests sent to the Container Service must contain signature information. The Container Service performs symmetric encryption using the Access Key ID and Access Key Secret to verify the identity of request senders. If the calculated verification code is the same as the one provided, the request is considered as valid. If they are different, the Container Service rejects the request and returns the HTTP 403 error.

You can add the Authorization header carrying signature information to the HTTP request, so as to indicate that the message has been authorized.

The Container Service requires that the signature be included in the HTTP header in the format of Authorization: acs [Access Key Id]:[Signature].The signature calculation method is as follows.

  1. Signature = base64(hmac-sha1(VERB + "\n"
  2. + ACCEPT + "\n" +
  3. + Content-MD5 + "\n"
  4. + Content-Type + "\n"
  5. + Date + "\n"
  6. + CanonicalizedHeaders + "\n"
  7. + CanonicalizedResource))
  • VERB indicates the HTTP method (for example, PUT).
  • Accept indicates the return-value type required by the client, which can be application/json or application/xml.
  • Content-MD5 indicates the MD5 value of the request.
  • Content-Type indicates the content type of the request.
  • Date indicates the operation time, which cannot be null. At present, only the GMT format is supported. If the difference between the request time and the CAS server time exceeds 15 minutes, CAS considers the request as invalid and returns Error 400 along with an error message and error code. (In the following example, the operation time is Wed, 16 Dec 2015 12:20:18 GMT.)
  • CanonicalizedHeaders indicates a combination of fields prefixed with x-acs- in the HTTP request. (For details, refer to “NOTE”.)
  • CanonicalizedResource indicates the uniform resource identifier (URI) of the resource in the HTTP request. (In the example, the URI is /clusters?name=my-clusters&resource=new.)

Note 1:

Process CanonicalizedHeaders (headers prefixed with x-acs-) in accordance with the following conventions before signature verification.

  1. Convert the names of all HTTP request headers prefixed with x-acs- to lowercase letters. For example, convert X-ACS-Meta-Name: TaoBao to x-acs-meta-name: TaoBao. The names of request headers are case-insensitive according to Alibaba Cloud specification. However, it is recommended that such names use only lowercase letters here.

  2. If the value section of a public request header is too long, replace the \t, \n, \r, and \f separators with spaces.

  3. Sort all HTTP request headers that are obtained from the preceding step and compliant with Alibaba Cloud specification in the lexicographically ascending order.

  4. Delete any space at either side of a separator between each request header and content. For example, convert x-acs-meta-name: TaoBao,Alipay to x-acs-meta-name:TaoBao,Alipay.

  5. Separate all headers and content with the \n separator to form the final CanonicalizedHeaders.

Note 2:

CanonicalizedResource format specification:CanonicalizedResource is the standard description of the resource to be accessed. Sort sub-resources along with query in the lexicographically ascending order and separate them using the & separator to generate a sub-resource string (all parameters after ?).

  1. http://cs.aliyuncs.com/clusters?name=my-clusters&resource=new

The CanonicalizedResource format should be:

  1. /clusters?name=my-clusters&resource=new

Signature example

Overview

The following example shows the signature process.

In the example, the Access Key ID and Access Key Secret are access_key_id and access_key_secret respectively. It is recommended that you use your OpenAPI call program to calculate the signature string in the following example. Then compare your signature string to the result shown by the example.

The request example is as follows.

  1. POST http://cs.aliyuncs.com/clusters?param1=value1&param2=value2 HTTP/1.1
  2. Accept-Encoding: identity
  3. Content-Length: 210
  4. Content-MD5: 6U4ALMkKSj0PYbeQSHqgmA==
  5. x-acs-version: 2015-12-15
  6. Accept: application/json
  7. User-Agent: cs-sdk-python/0.0.1 (Darwin/15.2.0/x86_64;2.7.10)
  8. x-acs-signature-nonce: fbf6909a-93a5-45d3-8b1c-3e03a7916799
  9. x-acs-signature-version: 1.0
  10. Date: Wed, 16 Dec 2015 12:20:18 GMT
  11. x-acs-signature-method: HMAC-SHA1
  12. Content-Type: application/json;charset=utf-8
  13. X-Acs-Region-Id: cn-beijing
  14. Authorization: acs access_key_id:/uA9QF5CHrr1FK3siBA4xLMTWE0=
  15. {"password": "Just$test","instance_type": "ecs.m2.medium","name": "my-test-cluster-97082734","size": 1,"network_mode": "classic","data_disk_category": "cloud","data_disk_size": 10,"ecs_image_id": "m-253llee3l"}

Request construction process

Calculate Content-Length and Content-MD5

Content-Length: length of the body content (there is no space or line feed at the beginning of the body)

  1. body: {"password": "Just$test","instance_type": "ecs.m2.medium","name": "my-test-cluster-97082734","size": 1,"network_mode": "classic","data_disk_category": "cloud","data_disk_size": 10,"ecs_image_id": "m-253llee3l"}
  2. Content-Length: 210

Content-MD5: MD5 calculation process

  1. body: {"password": "Just$test","instance_type": "ecs.m2.medium","name": "my-test-cluster-97082734","size": 1,"network_mode": "classic","data_disk_category": "cloud","data_disk_size": 10,"ecs_image_id": "m-253llee3l"}
  2. # Calculate the MD5 value of the body.
  3. md5(body): e94e002cc90a4a3d0f61b790487aa098
  4. # Convert the MD5 value to a byte array. Convert every two hexadecimal symbols of the MD5 value to a byte.
  5. # For example, e9 -> 11111111111111111111111111101001 -> -23
  6. bytes(md5(body)): {[-23], [78], [0], [44], [-55], [10], [74], [61], [15], [97], [-73], [-112], [72], [122], [-96], [-104]}
  7. # Convert the byte array into a Base64 string.
  8. base64(bytes(md5(body))): 6U4ALMkKSj0PYbeQSHqgmA==
  9. Content-MD5: 6U4ALMkKSj0PYbeQSHqgmA==

Process CanonicalizedHeaders

  1. # List all headers prefixed with 'x-acs-'.
  2. x-acs-version: 2015-12-15
  3. x-acs-signature-nonce: ca480402-7689-43ba-acc4-4d2013d9d8d4
  4. x-acs-signature-version: 1.0
  5. x-acs-signature-method: HMAC-SHA1
  6. X-Acs-Region-Id: cn-beijing
  7. # Convert the request name to lowercase letters, delete the spaces at the beginning and end of each line, and sort the headers in the lexicographically ascending order. Delete any space at either side of a separator between each request header and content.
  8. # NOTE: There must be no line feed in the last line.
  9. x-acs-region-id:cn-beijing
  10. x-acs-signature-method:HMAC-SHA1
  11. x-acs-signature-nonce:fbf6909a-93a5-45d3-8b1c-3e03a7916799
  12. x-acs-signature-version:1.0
  13. x-acs-version:2015-12-15

Calculate CanonicalizedResource

In the example, the length of CanonicalizedResource should be 27. An \n line feed is located at the end of the first line.

  1. /clusters?param1=value1&param2=value2

Calculate Signature

Assemble SignatureString. In the example, the length of the signature string is 307. An \n line feed is located at the end of all lines except the last line.

  1. POST
  2. application/json
  3. 6U4ALMkKSj0PYbeQSHqgmA==
  4. application/json;charset=utf-8
  5. Wed, 16 Dec 2015 12:20:18 GMT
  6. x-acs-region-id:cn-beijing
  7. x-acs-signature-method:HMAC-SHA1
  8. x-acs-signature-nonce:fbf6909a-93a5-45d3-8b1c-3e03a7916799
  9. x-acs-signature-version:1.0
  10. x-acs-version:2015-12-15
  11. /clusters?param1=value1&param2=value2

Calculate Signature

  1. # Use Access Key Secret to encrypt the signature string. In the example, the Access Key Secret is access_key_secret.
  2. hmac-sha1(SignatureString): fee03d405e421ebaf514adec881038c4b313584d
  3. # Convert the encrypted string to a byte array, similar to the Content-MD5 calculation method.
  4. # Convert the byte array into a Base64 string to get the final signature string.
  5. base64(bytes(hmac-sha1(SignatureString))): ZmVlMDNkNDA1ZTQyMWViYWY1MTRhZGVjODgxMDM4YzRiMzEzNTg0ZA==
  6. Signature: ZmVlMDNkNDA1ZTQyMWViYWY1MTRhZGVjODgxMDM4YzRiMzEzNTg0ZA==

Finish

After the above processing, add other header information to construct the final HTTP request.

  1. POST http://cs.aliyuncs.com/clusters?param1=value1&param2=value2 HTTP/1.1
  2. Accept-Encoding: identity
  3. Content-Length: 210
  4. Content-MD5: 6U4ALMkKSj0PYbeQSHqgmA==
  5. x-acs-version: 2015-12-15
  6. Accept: application/json
  7. User-Agent: cs-sdk-python/0.0.1 (Darwin/15.2.0/x86_64;2.7.10)
  8. x-acs-signature-nonce: fbf6909a-93a5-45d3-8b1c-3e03a7916799
  9. x-acs-signature-version: 1.0
  10. Date: Wed, 16 Dec 2015 12:20:18 GMT
  11. x-acs-signature-method: HMAC-SHA1
  12. Content-Type: application/json;charset=utf-8
  13. X-Acs-Region-Id: cn-beijing
  14. Authorization: acs access_key_id:/uA9QF5CHrr1FK3siBA4xLMTWE0=
  15. {"password": "Just$test","instance_type": "ecs.m2.medium","name": "my-test-cluster-97082734","size": 1,"network_mode": "classic","data_disk_category": "cloud","data_disk_size": 10,"ecs_image_id": "m-253llee3l"}
Thank you! We've received your feedback.