The STS service authenticates the sender identity of each access request. Therefore, each request must contain signature information, regardless of whether the request is sent over HTTP or HTTPS.
- Compose and encode a string-to-sign.
- Create a canonicalized query string by arranging the request parameters (including
all Common parameters and API-specific parameters except Signature) in alphabetical order.
Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The first parameter follows the question mark (
?) in the URL and the other parameters follow an ampersand (
- Encode the canonicalized query string in UTF-8. Follow these encoding rules to encode
the name and value of each request parameter:
Note Generally, libraries that support URL encoding, such as Java
- Uppercase letters, lowercase letters, digits, and some special characters such as
ampersands (&), hyphens (
-), underscores (
_), periods (
.), and tildes (
~) do not need to be encoded.
- Other characters must be percent encoded in
XYrepresents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (
") are encoded as
- Spaces must be encoded as
%20. Do not encode spaces as plus signs (
java.net.URLEncoder, encode characters according to the rules for the
application/x-www-form-urlencodedMIME type. If this encoding method is used, replace the plus signs (
+) in the encoded strings with
%20, the asterisks (
%7Ewith a tilde (
~) to comply with the preceding encoding rules.
- Uppercase letters, lowercase letters, digits, and some special characters such as ampersands (&), hyphens (
- Connect each encoded parameter name and value with an equal sign (
- Concatenate the encoded parameters with ampersands (
&).Note For more information about the sequence of parameters, see Step 1.
- Create a canonicalized query string by arranging the request parameters (including all Common parameters and API-specific parameters except Signature) in alphabetical order.
- Create a string-to-sign from the encoded canonicalized query string. The steps to
create a string-to-sign are as follows:
StringToSign= HTTPMethod + "&" + //HTTPMethod: HTTP method used to make the request, such as GET. percentEncode("/") + "&" + //percentEncode("/"): Encode backslashes (/) as %2F. percentEncode(CanonicalizedQueryString) //Encode the canonicalized query string created in Step 1.
- Calculate the HMAC value of the string-to-sign according to RFC 2104.
Note Use the SHA1 algorithm to calculate the HMAC value of the StringToSign. The AccessKey secret and an ampersand (
&) are used as the key for the HMAC calculation. The ASCII code for the ampersand (&) is 38.
- Encode the HMAC value in Base64 to obtain the signature string.
- Add the signature string to the request as the
Signatureparameter.Note Before the signature string is added to the request as the Signature parameter, the string must be URL-encoded according to RFC 3986.
The AssumeRole API operation is used as an example to introduce the signature method.
In this example, the request URL before the request is signed is as follows:
StringToSign is as follows:
If the AccessKey ID is testid and the AccessKey secret is testsecret, testsecret& is the key used for calculating the HMAC value of the string-to-sign.
The result signature string is
In this example, the request URL after the request is signed is as follows: