Database Autonomy Service (DAS) verifies the identity of each request sender. An API request must contain signature information regardless of whether the request is sent over HTTP or HTTPS.
Background information
Sign a request
To sign a request, perform the following steps:
- Use the request parameters to create a canonicalized query string.
- Arrange the request parameters, including all common request parameters and operation-specific
parameters except Signature, in alphabetical order.
Notice If you use the GET method to send a request, the request parameters are included in the request URL.The request parameters are placed after a question mark (?) in the URL and are separated with ampersands (&).
- Encode the name and value of each request parameter. Encode the names and values of
all parameters in UTF-8 based on the following rules:
- Uppercase letters, lowercase letters, digits, and some special characters such as ampersands (&), hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
- Other characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
- Extended UTF-8 characters are encoded in the %XY%ZA… format.
- Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
Notice Most libraries that support URL encoding, such as java.net.URLEncoder, are created based on the encoding rules of application/x-www-form-urlencoded. application/x-www-form-urlencoded is a subtype of Multipurpose Internet Mail Extensions (MIME). If you use java.net.URLEncoder, replace the plus signs (+) in the encoded string with %20, the asterisks (*) with %2A, and %7E with a tilde (~). This way, you can obtain an encoded string that is created based on the preceding encoding rules.
- Connect the encoded name and value of each parameter with an equal sign (=).
- Arrange the encoded parameters in alphabetical order based on the first letter of the name of each parameter and connect the parameters with ampersands (&) to create a canonicalized query string.
- Arrange the request parameters, including all common request parameters and operation-specific
parameters except Signature, in alphabetical order.
- Use the canonicalized query string to create a string-to-sign based on the following
rules:
Parameter description:StringToSign= HTTPMethod + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)
- HTTPMethod: specifies the HTTP method that is used to send a request, such as GET.
- percentEncode("/"): encodes the forward slashes (/) based on the URL encoding rules described in Step 1.ii. The encoded value of a forward slash (/) is %2F.
- percentEncode(CanonicalizedQueryString): encodes the canonicalized query string that is created in Step 1 based on the URL encoding rules described in Step 1.ii.
- Calculate the hash-based message authentication code (HMAC) value of the string-to-sign
based on the HMAC algorithm that is described in RFC 2104.
Notice Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value of the string-to-sign. Add an ampersand (&) to the end of your AccessKey secret and then use the result string as the secret key to calculate the HMAC value. The
ASCII
value of an ampersand (&) is 38. - Encode the HMAC value in Base64 to obtain the signature string.
- Add the signature string to the request as the value of the Signature parameter.
Note
Before you add the signature string to the request, encode the signature string based on the rules of RFC 3986.
In this example, the DescribeDBInstances operation is called. The following code is a request URL that does not contain the Signature parameter:
http://das.cn-shanghai.aliyuncs.com/?Timestamp=2013-06-01T10:33:56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&Version=2014-08-15&SignatureVersion=1.0
In this example, the AccessKey ID is testid and the AccessKey secret is testsecret. The secret key that is used to calculate the HMAC value of the string-to-sign is testsecret&. The calculated signature string isGET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeDBInstances&Format%3DXML&RegionId%3Dregion1&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3DNwDAxvLU6tFE0DVb&SignatureVersion%3D1.0&Timestamp%3D2013-06-01T10%253A33%253A56Z&Version%3D2014-08-15
cNr+cHw3awqsBaWs6J6hcGvnfJE=
.The following URL is the signed request URL after the Signature parameter is added:
http://das.cn-shanghai.aliyuncs.com/?Timestamp=2013-06-01T10%3A33%3A56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&SignatureVersion=1.0&Version=2014-08-15&Signature=cNr%2bcHw3awqsBaWs6J6hcGvnfJE%3d