The RAM service authenticates the sender identity of each access request. Therefore, each request must contain signature information, regardless of whether the request is sent over HTTP or HTTPS.
- Compose and encode a string-to-sign.
- Create a canonicalized query string by arranging the request parameters (including
all common parameters and API-specific parameters except Signature) in alphabetical order.
Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The first parameter follows the question mark (
?) in the URL and the other parameters follow an ampersand (
- Encode the canonicalized query string in UTF-8. Follow these rules to encode the name
and value of each request parameter:
Note Most libraries that support URL encoding, such as
- Uppercase letters, lowercase letters, digits, and some special characters such as
-), underscores (
_), periods (
.), and tildes (
~) do not need to be encoded.
- Other characters must be percent encoded in
XYrepresents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (
") are encoded as
- Spaces must be encoded as
%20. Do not encode spaces as plus signs (
java.net.URLEncoderof Java, adopts the
application/x-www-form-urlencodedMIME encoding algorithm. To comply with the preceding encoding rules, you can apply the encoding algorithm and then replace plus signs (
+) in encoded strings with
%20, asterisks (
%7Ewith a tilde (
- Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (
- Connect each encoded parameter name and value with an equal sign (
- Concatenate the encoded parameters with ampersands (
- Create a canonicalized query string by arranging the request parameters (including all common parameters and API-specific parameters except Signature) in alphabetical order.
- Create a string-to-sign from the encoded canonicalized query string. The steps to
create a string-to-sign are as follows:
StringToSign= HTTPMethod + "&" + //HTTPMethod: the HTTP method used to make the request, such as GET. percentEncode("/") + "&" + //percentEncode("/"): Encodes backslashes (/) as %2F. percentEncode(CanonicalizedQueryString) //Encodes the canonicalized query string that was created in step 1.
- Calculate the HMAC value of the string-to-sign based on RFC 2104.
Note The SHA1 algorithm is used to calculate the HMAC value of the string-to-sign. The AccessKey secret and an ampersand (
&) are used as the key for the HMAC calculation. The ASCII code for the ampersand (&) is 38.
- Encode the HMAC value in Base64 to obtain the signature string.
- Add the signature string to the request as the
Signatureparameter.Note Before the signature string is added to the request as the Signature parameter, the string must be URL-encoded based on RFC 3986.
The section uses the CreateUser API operation as an example to introduce the signature method.
Before the request is signed, the request URL is as follows:
StringToSign is as follows:
If the AccessKey ID is testid and the AccessKey secret is testsecret, testsecret& is the key that is used to calculate the HMAC value of the string-to-sign.
The result signature string is
Then, the request URL after signing is as follows: