edit-icon download-icon


Last Updated: Aug 02, 2018

When you send HTTP requests to Alibaba Cloud, you sign the requests so that Alibaba Cloud can identify who sent them. You sign requests with your AccessKey, which consists of an AccessKey ID and AccessKey secret. You can apply for an AccessKey for your primary account and manage it on our official site.

Signing signature process

  1. Create a canonical request.

    1. Sort the parameter names by character code point in ascending order. The parameters to sort include the common request parameters and the parameter of the API to call.

    2. Start with the HTTP request method GET, followed by a newline character.

    3. Then add the canonical URI parameter, followed by a newline character. The canonical URI is the URI-encoded version of the absolute path component of the URI, which is everything in the URI from the HTTP host to the question mark character (?) that begins the query string parameters (if any).

      • Do not URI-encode any of the unreserved characters that RFC 3986 defines: A-Z, a-z, 0-9, hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).

      • Percent-encode all other characters with %XY, where X and Y are hexadecimal characters (0-9 and uppercase A-F). For example, the space character must be encoded as %20 (not using ‘+’, as some encoding schemes do) and extended UTF-8 characters must be in the form %XY%ZA%BC.

    4. Build the canonical query string by starting with the first parameter name in the sorted list.

    5. For each parameter, append the URI-encoded parameter name, followed by the equals sign character (=), followed by the URI-encoded parameter value. Use empty strings for parameters that have no value.

      The following example shows the pseudocode to create a canonical request.

      1. StringToSign=
      2. HTTPMethod + “&” +
      3. percentEncode(“/”) + ”&” +
      4. percentEncode(CanonicalizedQueryString)
  2. As defined in RFC2104, the preceding signature string is used to calculate the signature into an HMAC value.

    Note: The key used for signature calculation is your AccessKey secret adding the ampersand “&” (ASCII:38) and it is based on hash algorithm SHA1.

  3. According to Base64 encoding rules, encode the preceding HMAC value into a string. This gives you the signature value.

  4. Add the obtained signature value to the request parameters as the Signature parameter to sign the request.

    Note: URL encoding should be performed for the obtained signature value based on the RFC3986 rule, like in the case of other parameters, before the signature value is submitted to the KMS server as the final request parameter value.


Take CreateKey as an example. The HTTP request without a signature is:

  1. https://kms.cn-hangzhou.aliyuncs.com/?Action=CreateKey
  2. &SignatureVersion=1.0
  3. &Format=json
  4. &Version=2016-01-20
  5. &AccessKeyId=testid
  6. &SignatureMethod=HMAC-SHA1
  7. &Timestamp=2016-03-28T03:13:08Z

CanonicalizedQueryString is:

  1. AccessKeyId=testid&Action=CreateKey&Format=json&SignatureMethod=HMAC-SHA1&SignatureVersion=1.0&Timestamp=2016-03-28T03%3A13%3A08Z&Version=2016-01-20

StringToSign is:

  1. GET&%2F&AccessKeyId%3Dtestid&Action%3DCreateKey&Format%3Djson&SignatureMethod%3DHMAC-SHA1&SignatureVersion%3D1.0&Timestamp%3D2016-03-28T03%253A13%253A08Z&Version%3D2016-01-20

Take AccessKey Id as testid, AccessKey Secret as testsecret, so the key for HMAC calculation is testsecret&, and the signature is:

  1. s/OdVWMTmNGagvWlljdAJ7Itsew=

The request URL with the signature is:

  1. https://kms.cn-hangzhou.aliyuncs.com/?Action=CreateKey
  2. &SignatureVersion=1.0
  3. &Format=json
  4. &Version=2016-01-20
  5. &AccessKeyId=F5856RW8kXMuAPMU
  6. &SignatureMethod=HMAC-SHA1
  7. &Timestamp=2016-03-28T03:13:08Z
  8. &Signature=41wk2SSX1GJh7fwnc5eqOfiJPFg%3D
Thank you! We've received your feedback.