When you send HTTP requests to Alibaba Cloud, you sign the requests so that Alibaba Cloud can identify who sent them. You sign requests with your AccessKey, which consists of an AccessKey ID and AccessKey secret. You can apply for an AccessKey for your primary account and manage it on our official site.

Signing signature process

  1. Create a canonical request.

    1. Sort the parameter names by character code point in ascending order. The parameters to sort include the common request parameters and the parameter of the API to call.
      Note Start with the HTTP request method GET, followed by a newline character.
    2. Then add the canonical URI parameter, followed by a newline character. The canonical URI is the URI-encoded version of the absolute path component of the URI, which is everything in the URI from the HTTP host to the question mark character (?) that begins the query string parameters (if any).
      • Do not URI-encode any of the unreserved characters that RFC 3986 defines: A-Z, a-z, 0-9, hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).
      • Percent-encode all other characters with %XY, where X and Y are hexadecimal characters (0-9 and uppercase A-F). For example, the space character must be encoded as %20
      • (not using ‘+’, as some encoding schemes do)
        Note and extended UTF-8 characters must be in the form %XY%ZA%BC. For example, the space character must be encoded as %20 (not using ‘+’, as some encoding schemes do) and extended UTF-8 characters must be in the form %XY%ZA%BC.
    3. Build the canonical query string by starting with the first parameter name in the sorted list.
    4. For each parameter, append the URI-encoded parameter name, followed by the equals sign character (=), followed by the URI-encoded parameter value. Use empty strings for parameters that have no value.

      The following example shows the pseudocode to create a canonical request.

      StringToSign=
      HTTPMethod + “&” +
      percentEncode(“/”) + ”&” +
      percentEncode(CanonicalizedQueryString)
      							

    HTTPMethod: the method used to submit a request, such as GET percentEncode(“/”): the coded value for the character “/“ according to the URL encoding rules described before, that is, %2F

    percentEncode(CanonicalizedQueryString): the encoded string of the Canonicalized Query String constructed in Step 1, produced by following the URL encoding rules described in 1.b

  2. As defined in RFC2104, the preceding signature string is used to calculate the signature into an HMAC value.
    Note The key used for signature calculation is your AccessKey secret adding the ampersand “&” (ASCII:38) and it is based on hash algorithm SHA1.
  3. According to Base64 encoding rules, encode the preceding HMAC value into a string. This gives you the signature value.
  4. Add the obtained signature value to the request parameters as the Signature parameter to sign the request.
    Note URL encoding should be performed for the obtained signature value based on the RFC3986 rule, like in the case of other parameters, before the signature value is submitted to the RAM server as the final request parameter value.

Example

Take CreateTrail as an example. The HTTP request without a signature is:

http://actiontrail.cn-hangzhou.aliyuncs.com/actiontrail?SignatureVersion=1.0
&OssBucketName=yuanch****
&Name=CreateTest
&Format=JSON
&Timestamp=2015-12-01T08%3A23%3****
&AccessKeyId=testid
&SignatureMethod=HMAC-SHA1
&Version=2015-09-28
&RoleName=aliyunactiontraildefaultrole
&Action=CreateTrail
&OssKeyPrefix=
			

StringToSign is:

GET&%2F&AccessKeyId%3Dtestid&Action%3DCreateTrail&Format%3DJSON&Name%3DCreateTest&OssBucketName%3Dyuanchuang&OssKeyPrefix%3D&RoleName%3Daliyunactiontraildefaultrole&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3Dce999197-9804-11e5-abfe-7831c1c8022e&SignatureVersion%3D1.0&Timestamp%3D2015-12-01T08%253A23%253A31Z&Version%3D2015-09-28
			

Take the AccessKey ID as testid, and the AccessKey Secret as testsecret, then the Key used for HMAC calculation is testsecret&. The signature is:

vAeYfUeJUctqeqQGUkFITGnFAeo=
			

The HTTP request encoded with the signature is:

http://actiontrail.cn-hangzhou.aliyuncs.com/actiontrail?SignatureVersion=1.0
&OssBucketName=yuanch****
&Name=CreateTest
&Format=JSON
&Timestamp=2015-12-01T08%3A23%3****
&Signature=vAeYfUeJUctqeqQGUkFITGnFAe****
&AccessKeyId=testid
&SignatureMethod=HMAC-SHA1
&Version=2015-09-28
&RoleName=aliyunactiontraildefaultrole
&Action=CreateTrail
&SignatureNonce=ce999197-9804-11e5-abfe-7831c1c8****
&OssKeyPrefix=