You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller.
A signature consists of two parts: common request header and CanonicalizedResource. The request body is not included in the signature. The common request header contains HTTP header parameters and Alibaba Cloud protocol header parameters.
AccessKey pairs are issued by Alibaba Cloud. You can visit the official Alibaba Cloud
website to apply for and manage an AccessKey pair. An AccessKey pair consists of an
AccessKey ID and an
AccessKey secret. The
AccessKey ID is used to verify the identity of the user, while the
AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey
secret strictly confidential.
Container Registry verifies each access request it receives. Therefore, all requests
sent to Container Registry must contain signature information. Container Registry
implements symmetric encryption with an AccessKey pair that consists of an
AccessKey ID and an
AccessKey secret to verify the identity of the request sender. If the calculated verification code
is the same as the one provided, the request is considered valid. Otherwise, Container
Registry rejects the request and returns the HTTP error code 403.
You must add the signature to the HTTP header in the following format:
Authorization: acs [Access Key Id]:[Signature].
Signature calculation method
The following shows how to calculate the signature:
Signature = base64(hmac-sha1(VERB + "\n" + ACCEPT + "\n" + + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + "\n" + CanonicalizedResource))
VERBindicates the HTTP method. Example: PUT.
Acceptindicates the response type required by the client. Valid values: application/json and application/xml.
Content-MD5indicates the MD5 hash value of the request content.
Content-Typeindicates the type of request content.
Dateindicates the time when the request was sent. This parameter is required. The time must be in GMT. If the deviation between the time when a request was sent and the time when the request was received exceeds 15 minutes, the system determines that the request is invalid and returns the error code 400. Example:
Thu, 17 Mar 2018 18:00:00 GMT.
CanonicalizedHeadersindicates the header fields that are prefixed with
x-acs-in the request.
CanonicalizedResourceindicates the URI of the requested resource. Example:
CanonicalizedHeaders (headers that start with
x-acs-) must comply with the following specifications before the signature is verified:
- Convert the names of all HTTP request headers prefixed with
x-acs-into lowercase letters. For example, you must convert
x-acs-meta-name: TaoBao. Header field names are case-insensitive. We recommend that you use lowercase letters.
- If a header field value is too long, replace specific delimiters with spaces. The
- Sort all HTTP request headers that are obtained from the preceding step in alphabetical order.
- Delete all spaces on each side of a delimiter between the request header and its content.
For example, convert
- Separate all headers and content with delimiters
\nto form the final CanonicalizedHeaders.
CanonicalizedResource represents the specification description of the resource to
be accessed. Sort sub-resources along with query parameters in alphabetical order
and separate them with ampersands (&) to generate a sub-resource string. The sub-resource
string consists of all parameters that follow the question mark
The value of CanonicalizedResource must be the following string: