You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller. If you use HTTPS to send an API request, you must include the signature in the request.

Signature overview

You must add the signature to the Key Management Service API request in the following format: 

https://Endpoint/?SignatureVersion=1.0&SignatureMethod=HMAC-SHA1&Signature=CT9X0VtwR86fNWSnsc6v8YGOjuE%3D
A signature contains the following parameters:
  • SignatureMethod: the encryption method of the signature string. Set the value to HMAC-SHA1.
  • SignatureVersion: the version of the signature encryption algorithm. Set the value to 1.0.
  • Signature: the signature string generated after the request is symmetrically encrypted by using the AccessKey secret.
The HMAC-SHA1 algorithm specified in RFC 2104 is used for encryption. The AccessKey secret is used to calculate the hash-based message authentication code (HMAC) value of the encoded and sorted query string, and the HMAC value is used as the signature string. Request signatures include operation-specific parameters. Therefore, the signature of a request varies based on the request parameters. To calculate a signature, perform the steps in this topic. 
Signature = Base64( HMAC-SHA1( AccessKey Secret, UTF-8-Encoding-Of(StringToSign)) )

Step 1: Compose and encode a string-to-sign

  1. Create a canonicalized query string by arranging the request parameters.
    1. Arrange the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note When you use the GET method to submit a request, these parameters constitute the parameter field of the request URL. These parameters are placed after the question mark (?) in the request URI and connected by ampersands (&).
    2. Encode the names and values of the arranged request parameters in the request URL by using the UTF-8 character set. The following table describes the encoding rules.
      CharacterEncoding rule
      Uppercase letters, lowercase letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~)These characters do not need to be encoded.
      Other charactersThese characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      Extended UTF-8 charactersThese characters must be encoded in the %XY%ZA… format.
      SpacesSpaces must be encoded as %20. Do not encode spaces as plus signs (+).
      This encoding method is different from the Multipurpose Internet Mail Extensions (MIME) encoding algorithm application/x-www-form-urlencoded, such as the java.net.URLEncoder class that is provided by the Java standard library. However, you can apply the MIME encoding algorithm and then replace the plus sign (+) in the encoded string with %20, the asterisk (*) with %2A, and %7E with the tilde (~). You can use the following percentEncode method to implement the algorithm: 
      private static final String ENCODING = "UTF-8";
private static String percentEncode(String value) throws UnsupportedEncodingException 
{
return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
}
    3. Connect the encoded parameter names and values by using equal signs (=).
    4. Sort the connected parameter name and value pairs in the specified order and connect the pairs by using ampersands (&) to obtain the canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string in the following way: 
    StringToSign=
      HTTPMethod + "&" +
      percentEncode("/") + "&" +
      percentEncode(CanonicalizedQueryString)

    The following list describes the parameters:

    • HTTPMethod: specifies the HTTP method used to submit a request, such as GET.
    • percentEncode("/"): specifies the encoded value (%2F) of a forward slash (/). The encoding follows the URL encoding rules.
    • percentEncode(CanonicalizedQueryString): specifies the encoded canonicalized query string based on the URL encoding rules.

Step 2: Calculate the signature string

  1. Calculate the HMAC value of the string-to-sign based on RFC 2104.
    Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. The combination of your AccessKey secret and an ampersand (&) (ASCII code 38) is used as the key for the HMAC calculation.
  2. Encode the HMAC value in Base64 to obtain the signature string.
  3. Add the signature string to the request as the Signature parameter.
    Note When the obtained signature value is submitted as the final request parameter value, the value must be URL-encoded like other parameters based on rules defined in RFC 3986.

Examples

The CreateKey operation is used as an example to introduce the signature method.

Request URL before the request is signed:

https://kms.cn-hangzhou.aliyuncs.com/?Action=CreateKey
&SignatureVersion=1.0
&Format=json
&Version=2016-01-20
&AccessKeyId=testid
&SignatureMethod=HMAC-SHA1
&Timestamp=2016-03-28T03:13:08Z

StringToSign for the request URL:

GET&%2F&AccessKeyId%3Dtestid%26Action%3DCreateKey%26Format%3Djson%26SignatureMethod%3DHMAC-SHA1%26SignatureVersion%3D1.0%26Timestamp%3D2016-03-28T03%253A13%253A08Z%26Version%3D2016-01-20

If the AccessKey ID is testid and the AccessKey secret is testsecret, the key that is used to calculate the HMAC value of the string-to-sign is testsecret&.

The signature value is 41wk2SSX1GJh7fwnc5eqOfiJPF****.

Request URL after the request is signed: 

https://kms.cn-hangzhou.aliyuncs.com/?Action=CreateKey
&SignatureVersion=1.0
&Format=json
&Version=2016-01-20
&AccessKeyId=testid
&SignatureMethod=HMAC-SHA1
&Timestamp=2016-03-28T03:13:08Z
&Signature=41wk2SSX1GJh7fwnc5eqOfiJPF****