All Products
Document Center

Signature mechanism

Last Updated: Jan 03, 2018

The STS service will perform identity authentication on each access request. Therefore, whether submitted through HTTP or HTTPS, a request must contain signature information. STS uses Access Key ID and Access Key Secret symmetric encryption to verify the identity of request senders. The Access Key ID and Access Key Secret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them on the official Alibaba Cloud website). The Access Key ID indicates the identity of the visitor. The Access Key Secret is the secret key used to encrypt the signature string and to verify the signature string on the server. It must be kept strictly confidential and should only be known to Alibaba Cloud and authenticated visitors.

Request signing process

  1. Use request parameters to construct a canonicalized query string.

    a) Sort all request parameters (including “public request parameters” and user-defined parameters for the given request interfaces described in this document, excluding the Signature parameter mentioned in “public request parameters”) alphabetically by the parameter name.

    NOTE:If you use the “GET” method to submit requests, these parameters are included in the request URI (namely, the part after the question mark “?” following the ampersand “&” in the URI).

    b) Encoded the name and value of each request parameter. URL encoding using the UTF-8 character set is required. URL encoding rules are as follows:

    • Upper case letters from A to Z, lowercase letters from a to z, integers from 0 to 9, and other characters including the en dashes “-“, underlines “_”, periods”.”, and tildes “~” are not encoded.
    • Other characters are encoded in “%XY” format, with XY representing the characters’ ASCII code in hexadecimal notation. For example, double quotation marks (“) are encoded as “%22”.
    • It must be noted that the space ( ) is encoded as “%20”, rather than the plus sign “+”.

    NOTE: Generally, URL-encoded libraries (such as “” in Java) are encoded based on rules of the MIME type in the “application/x-www-form-urlencoded” format. You can use this encoding method directly by replacing the plus sign “+” in the encoded string with “%20”, the asterisk “*” with “%2A”, and change “%7E” back to the tilde “~” to conform to the encoding rules described above.

    c) Connect the encoded parameter names and values with the equal sign “=”.

    d) Connect the parameter name and value pairs connected by equal signs alphabetically by the parameter name with the ampersand “&” to produce the canonicalized query string.

  2. Follow the rules below to use the canonicalized query string to construct the string for signature calculation:

    1. StringToSign=
    2. HTTPMethod + “&” +
    3. percentEncode(“/”) + ”&” +
    4. percentEncode(CanonicalizedQueryString)

      Here, “HTTPMethod” is the HTTP method (such as “GET”) used for request submission.“percentEncode(“/“)” is the encoded value (namely, “%2F”) for the character “/“ according to the URL encoding rules described in 1.b.

      “percentEncode(CanonicalizedQueryString)” is the canonicalized query string encoded by following the URL encoding rules described in 1.b.

  3. Use the string for signature calculation to calculate the HMAC value of the signature based on RFC2104. NOTE: The key used for signature calculation is your access key secret adding the ampersand “&” (ASCII:38) and it is based on hash algorithm SHA1.

  4. Encode the HMAC value into a string based on Base64 encoding rules to obtain the signature value.

  5. Add the obtained signature value to request parameters as the “Signature” parameter to complete the request signing process.NOTE: The obtained signature value requires URL encoding based on the RFC3986 rule like other parameters before it is submitted to the STS server as the final request parameter value.


Take “AssumeRole” as an example, the request URL before signature is:

  2. ?SignatureVersion=1.0
  3. &Format=JSON
  4. &Timestamp=2015-09-01T05%3A57%3A34Z
  5. &RoleArn=acs%3Aram%3A%3A1234567890123%3Arole%2Ffirstrole
  6. &RoleSessionName=client
  7. &AccessKeyId=testid
  8. &SignatureMethod=HMAC-SHA1&Version=2015-04-01
  9. &Action=AssumeRole
  10. &SignatureNonce=571f8fb8-506e-11e5-8e12-b8e8563dc8d2

The corresponding “StringToSign” is:

  1. GET
  2. &%2F
  3. &AccessKeyId%3Dtestid
  4. %26Action%3DAssumeRole
  5. %26Format%3DJSON
  6. %26RoleArn%3Dacs%253Aram%253A%253A1234567890123%253Arole%252Ffirstrole
  7. %26RoleSessionName%3Dclient
  8. %26SignatureMethod%3DHMAC-SHA1
  9. %26SignatureNonce%3D571f8fb8-506e-11e5-8e12-b8e8563dc8d2
  10. %26SignatureVersion%3D1.0
  11. %26Timestamp%3D2015-09-01T05%253A57%253A34Z
  12. %26Version%3D2015-04-01

Assume that the “Access Key ID” parameter value is “testid”, the “Access Key Secret” parameter value is “testsecret”, the key used for HMAC calculation will be “testsecret&” and the calculated signature value will be:

  1. gNI7b0AyKZHxDgjBGPDgJ1Ce3L4=

The signed request URL is (with the “Signature” parameter added):

  2. ?SignatureVersion=1.0
  3. &Format=JSON
  4. &Timestamp=2015-09-01T05%3A57%3A34Z
  5. &RoleArn=acs%3Aram%3A%3A1234567890123%3Arole%2Ffirstrole
  6. &RoleSessionName=client
  7. &AccessKeyId=testid
  8. &SignatureMethod=HMAC-SHA1
  9. &Version=2015-04-01
  10. &Signature=gNI7b0AyKZHxDgjBGPDgJ1Ce3L4%3D
  11. &Action=AssumeRole
  12. &SignatureNonce=571f8fb8-506e-11e5-8e12-b8e8563dc8d2