The STS service authenticates the sender identity of each access request. Therefore, each request must contain signature information, regardless of whether the request is sent over HTTP or HTTPS.

Background information

STS implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair is an identity credential issued to Alibaba Cloud accounts and RAM users. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, and the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.


  1. Compose and encode a string-to-sign.
    1. Create a canonicalized query string by arranging the request parameters (including all common and API-specific parameters except Signature) in alphabetical order.
      Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The first parameter follows the question mark (?) in the URL and other parameters follow an ampersand (&).
    2. Encode the canonicalized query string in UTF-8. Follow these encoding rules to encode the name and value of each request parameter:
      • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      • Other characters must be percent encoded in %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
      Note Most libraries that support URL encoding, such as of Java, adopts the application/x-www-form-urlencoded MIME encoding algorithm. To comply with the preceding encoding rules, you can apply the encoding algorithm and then replace plus signs (+) in encoded strings with %2B, asterisks (*) with %2A, and %7E with a tilde (~).
    3. Connect each encoded parameter name and value with an equal sign (=).
    4. Concatenate the encoded parameters with ampersands (&).
      Note For more information about the sequence of parameters, see Step 1.
  2. Create a string-to-sign from the encoded canonicalized query string. The steps to create a string-to-sign are as follows:
    HTTPMethod + "&" + // HTTPMethod: the HTTP method used to make the request, such as GET.
    percentEncode("/") + "&" + // percentEncode("/"): encodes backslashes (/) as %2F.
    percentEncode(CanonicalizedQueryString) // Encodes the canonicalized query string created in Step 1.
  3. Calculate the HMAC value of the string-to-sign based on RFC 2104.
    Note The SHA1 algorithm is used to calculate the HMAC value of the string-to-sign. The AccessKey secret and an ampersand (&) are used as the key for the HMAC calculation. The ASCII code for the ampersand (&) is 38.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the Signature parameter.
    Note The signature string must be URL encoded based on RFC 3986.


This section uses the AssumeRole API operation as an example to introduce the signature method.

Before the request is signed, the request URL is as follows:

The corresponding StringToSign is as follows:


If the AccessKey ID is testid and the AccessKey secret is testsecret, testsecret& is the key used to calculate the HMAC value of the string-to-sign.

The result signature string is gNI7b0AyKZHxDgjBGPDgJ1Ce3L4=.

Then, the request URL after signing is as follows: