Signature method - - Alibaba Cloud Documentation Center

Database Autonomy Service (DAS) verifies the identity of each request sender. An API request must contain signature information regardless of whether the request is sent over HTTP or HTTPS.

Background information

DAS implements symmetric encryption to verify your identity by using the AccessKey ID and the AccessKey secret of the AccessKey pair that you use to call DAS API. Alibaba Cloud can generate AccessKey pairs for your Alibaba Cloud account and RAM users. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. You can apply for and manage AccessKey pairs in the Alibaba Cloud Management Console. The AccessKey ID of an AccessKey pair indicates your identity. The AccessKey secret of an AccessKey pair is the secret key that is used to calculate signature strings. DAS uses the AccessKey secret to verify your signature strings. You must keep your AccessKey secret confidential.

Sign a request

To sign a request, perform the following steps:

Use the request parameters to create a canonicalized query string.
1. Arrange the request parameters, including all common request parameters and operation-specific parameters except Signature, in alphabetical order.
  
  Notice If you use the GET method to send a request, the request parameters are included in the request URL.The request parameters are placed after a question mark (?) in the URL and are separated with ampersands (&).
2. Encode the name and value of each request parameter. Encode the names and values of all parameters in UTF-8 based on the following rules:
  1. Uppercase letters, lowercase letters, digits, and some special characters such as ampersands (&), hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
  2. Other characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
  3. Extended UTF-8 characters are encoded in the %XY%ZA… format.
  4. Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
    
    Notice Most libraries that support URL encoding, such as java.net.URLEncoder, are created based on the encoding rules of application/x-www-form-urlencoded. application/x-www-form-urlencoded is a subtype of Multipurpose Internet Mail Extensions (MIME). If you use java.net.URLEncoder, replace the plus signs (+) in the encoded string with %20, the asterisks (*) with %2A, and %7E with a tilde (~). This way, you can obtain an encoded string that is created based on the preceding encoding rules.
3. Connect the encoded name and value of each parameter with an equal sign (=).
4. Arrange the encoded parameters in alphabetical order based on the first letter of the name of each parameter and connect the parameters with ampersands (&) to create a canonicalized query string.
Use the canonicalized query string to create a string-to-sign based on the following rules:
```
StringToSign=
HTTPMethod + "&" +
percentEncode("/") + "&" +
percentEncode(CanonicalizedQueryString)
```
Parameter description:
- HTTPMethod: specifies the HTTP method that is used to send a request, such as GET.
- percentEncode("/"): encodes the forward slashes (/) based on the URL encoding rules described in Step 1.ii. The encoded value of a forward slash (/) is %2F.
- percentEncode(CanonicalizedQueryString): encodes the canonicalized query string that is created in Step 1 based on the URL encoding rules described in Step 1.ii.
Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on the HMAC algorithm that is described in RFC 2104.

Notice Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value of the string-to-sign. Add an ampersand (&) to the end of your AccessKey secret and then use the result string as the secret key to calculate the HMAC value. The ASCII value of an ampersand (&) is 38.
Encode the HMAC value in Base64 to obtain the signature string.
Add the signature string to the request as the value of the Signature parameter.
Note
Before you add the signature string to the request, encode the signature string based on the rules of RFC 3986.

In this example, the DescribeDBInstances operation is called. The following code is a request URL that does not contain the Signature parameter:
```
http://das.cn-shanghai.aliyuncs.com/?Timestamp=2013-06-01T10:33:56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&Version=2014-08-15&SignatureVersion=1.0
```
The following string is the string-to-sign:
```
GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeDBInstances&Format%3DXML&RegionId%3Dregion1&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3DNwDAxvLU6tFE0DVb&SignatureVersion%3D1.0&Timestamp%3D2013-06-01T10%253A33%253A56Z&Version%3D2014-08-15
```
In this example, the AccessKey ID is testid and the AccessKey secret is testsecret. The secret key that is used to calculate the HMAC value of the string-to-sign is testsecret&. The calculated signature string is cNr+cHw3awqsBaWs6J6hcGvnfJE=.
The following URL is the signed request URL after the Signature parameter is added:
```
http://das.cn-shanghai.aliyuncs.com/?Timestamp=2013-06-01T10%3A33%3A56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&SignatureVersion=1.0&Version=2014-08-15&Signature=cNr%2bcHw3awqsBaWs6J6hcGvnfJE%3d
```