The RAM service authenticates the sender identity of each access request. Therefore, each request must contain signature information, regardless of whether the request is sent over HTTP or HTTPS.

Background information

RAM implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair is an identity credential issued to Alibaba Cloud accounts and RAM users. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, and the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.

Procedure

  1. Compose and encode a string-to-sign.
    1. Create a canonicalized query string by arranging the request parameters (including all common parameters and API-specific parameters except Signature) in alphabetical order.
      Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The first parameter follows the question mark (?) in the URL and the other parameters follow an ampersand (&).
    2. Encode the canonicalized query string in UTF-8. Follow these rules to encode the name and value of each request parameter:
      • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      • Other characters must be percent encoded in %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
      Note Most libraries that support URL encoding, such as java.net.URLEncoder of Java, adopts the application/x-www-form-urlencoded MIME encoding algorithm. To comply with the preceding encoding rules, you can apply the encoding algorithm and then replace plus signs (+) in encoded strings with %20, asterisks (*) with %2A, and %7E with a tilde (~).
    3. Connect each encoded parameter name and value with an equal sign (=).
    4. Concatenate the encoded parameters with ampersands (&).
      Note For more information about the sequence of parameters, see step 1.
  2. Create a string-to-sign from the encoded canonicalized query string. The steps to create a string-to-sign are as follows:
    StringToSign=
    HTTPMethod + "&" + //HTTPMethod: the HTTP method used to make the request, such as GET.
    percentEncode("/") + "&" + //percentEncode("/"): Encodes backslashes (/) as %2F.
    percentEncode(CanonicalizedQueryString) //Encodes the canonicalized query string that was created in step 1.
  3. Calculate the HMAC value of the string-to-sign based on RFC 2104.
    Note The SHA1 algorithm is used to calculate the HMAC value of the string-to-sign. The AccessKey secret and an ampersand (&) are used as the key for the HMAC calculation. The ASCII code for the ampersand (&) is 38.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the Signature parameter.
    Note Before the signature string is added to the request as the Signature parameter, the string must be URL-encoded based on RFC 3986.

Result

The section uses the CreateUser API operation as an example to introduce the signature method.

Before the request is signed, the request URL is as follows:

https://ram.aliyuncs.com/?UserName=test&SignatureVersion=1.0&Format=JSON&Timestamp=2015-08-18T03%3A15%3A45Z&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&Version=2015-05-01&Action=CreateUser&SignatureNonce=6a6e0ca6-4557-11e5-86a2-b8e8563dc8d2

The corresponding StringToSign is as follows:

GET&%2F&AccessKeyId%3Dtestid%26Action%3DCreateUser%26Format%3DJSON%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D6a6e0ca6-4557-11e5-86a2-b8e8563dc8d2%26SignatureVersion%3D1.0%26Timestamp%3D2015-08-18T03%253A15%253A45Z%26UserName%3Dtest%26Version%3D2015-05-01

If the AccessKey ID is testid and the AccessKey secret is testsecret, testsecret& is the key used to calculate the HMAC value of the string-to-sign.

The result signature string is kRA2cnpJVacIhDMzXnoNZG9tDCI%3D.

Then, the request URL after signing is as follows:

https://ram.aliyuncs.com/?UserName=test&SignatureVersion=1.0&Format=JSON&Timestamp=2015-08-18T03%3A15%3A45Z&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&Version=2015-05-01&Signature=kRA2cnpJVacIhDMzXnoNZG9tDCI%3D&Action=CreateUser&SignatureNonce=6a6e0ca6-4557-11e5-86a2-b8e8563dc8d2