ApsaraDB for Redis authenticates the sender of each request for calling an application programming interface (API) operation. Therefore, each request must contain signature information, regardless of whether the access request is sent through Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS).

When you send a request, ApsaraDB for Redis authenticates you by using symmetric encryption based on your AccessKey ID and AccessKey secret.

The AccessKey ID and AccessKey secret are issued to you by Alibaba Cloud. You can apply for and manage them on the Alibaba Cloud website. The AccessKey ID indicates your identity. The AccessKey secret is the key used to encrypt a signed string and to verify the signed string on the server. It must be kept confidential and only be known to Alibaba Cloud and you.

Sign a request

When sending a request, perform the following steps to sign the request:
  1. Use request parameters to construct a canonicalized query string.
    1. To construct a canonicalized query string, sort all request parameters by parameter name in alphabetic order. These parameters include common request parameters and customized request parameters of a specified API operation, but do not include the Signature parameter.
      Notice If the request is submitted through the GET method, these parameters are placed in the section after a question mark (?) in the request URI and connected with ampersands (&).
    2. Encode the name and value of each request parameter.
      Parameters names and values are encoded into a uniform resource locator (URL) based on the UTF-8 character set. The URL encoding rules are as follows:
      • Uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), hyphens (-), underscores (_), periods (.), and tildes (~) are not encoded.
      • Other characters are encoded in the %XY format, where XY is the hexadecimal representation of a character in American Standard Code for Information Interchange (ASCII). For example, double quotation marks (") are encoded as %22.
      • Extended UTF-8 characters are encoded in the %XY%ZA… format.
      • A space is encoded as %20, rather than the plus sign (+).
      Notice Most libraries that support URL encoding, such as java.net.URLEncoder, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of application/x-www-form-urlencoded. If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with a tilde (~) to conform to the encoding rules.
    3. Connect the encoded parameter names and values with equal signs (=).
    4. Sort the parameter name and value pairs connected by equal signs (=) in alphabetical order and connect the pairs with ampersands (&).
  2. Use the created canonicalized query string to construct a string for signature calculation based on the following rules:
     StringToSign=
     HTTPMethod + “&” +
     percentEncode(“/”) + ”&” +
     percentEncode(CanonicalizedQueryString)
    In the preceding string,
    • HTTPMethod indicates the HTTP method used to submit the request, such as GET.
    • percentEncode("/") is the encoded value ("%2F") of a forward slash (/). The encoding follows the URL encoding rules described in step 1.b.
    • percentEncode(CanonicalizedQueryString) is the string constructed by using the canonicalized query string. The encoding follows the URL encoding rules described in step 1.b.
  3. Use the string for signature calculation to calculate the hash-based message authentication code (HMAC) value of the signature as defined in RFC 2104.
    Notice The key that is used to calculate the signature is the AccessKey secret appended with an ampersand (&) (ASCII: 38). Secure Hash Algorithm 1 (SHA1) is used in the calculation.
  4. Use Base64 to encode the HMAC value into a string. This encoded string is the signature.
  5. Add the signature as the value of the Signature parameter to the request parameters to complete the request signing process.
    Notice When you submit the signature value to the ApsaraDB for Redis instance as the final request parameter value, perform URL encoding on this parameter based on the rules defined in RFC 3986 in the same way as you process other parameters.

Example

DescribeDBInstances is used here as an example. The request URL before signing is:

http://r-kvstore.aliyuncs.com/?Timestamp=2013-06-01T10:33:56Z&Format=XML&AccessKeyId=testid&Action=DescribeInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&Version=2015-01-01&SignatureVersion=1.0
The calculated StringToSign for signature calculation is as follows:
GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeInstances&Format%3DXML&RegionId%3Dregion1&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3DNwDAxvLU6tFE0DVb&SignatureVersion%3D1.0&Timestamp%3D2013-06-01T10%253A33%253A56Z&Version%3D2015-01-01

This example assumes that the AccessKey ID is testid, the AccessKey secret is testsecret, and the key used for HMAC calculation is testsecret&. The calculated signature is BIPOMlu8LXBeZtLQkJTw6iFvw1E=.

The signed request URL with the Signature parameter added is as follows:

http://r-kvstore.aliyuncs.com/?Timestamp=2013-06-01T10%3A33%3A56Z&Format=XML&AccessKeyId=testid&Action=DescribeInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&SignatureVersion=1.0&Version=2015-01-01&Signature=BIPOMlu8LXBeZtLQkJTw6iFvw1E%3D