The API signature consists of two parts: common request headers (HTTP header parameters and Alibaba Cloud protocol header parameters) and canonicalized resource. The message body is not included in the signature.
AccessKey ID and
AccessKey Secret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them at Alibaba Cloud official website). The
AccessKey ID indicates the identity of the visitor. The
AccessKey Secret is the secret key used to encrypt and verify the signature string on the server. It must be kept confidential and only be known to Alibaba Cloud and the user.
The system verifies each access request it receives. Therefore, all requests must contain the signature information. The system performs symmetric encryption by using the
AccessKey Id and
AccessKey Secret to verify the identity of request senders. If the calculated verification code is the same as the one provided, the request is considered as valid. Otherwise, the request is rejected, and HTTP 403 error is returned.
The request requires a signature being included in the HTTP header in the format of
Authorization: acs [accessKeyId]:[Signature].
The signature calculation method is as follows:
Signature = base64(hmac-sha1(VERB + "\n"
+ ACCEPT + "\n" +
+ Content-MD5 + "\n"
+ Content-Type + "\n"
+ Date + "\n"
+ CanonicalizedHeaders + "\n"
VERBindicates the HTTP method, for example,
Acceptindicates the type of returned value required by the user, application/json and application/xml are supported.
Content-MD5indicates the MD5 value of the requested content.
Content-Typeindicates the type of the requested content.
Dateindicates the operation time, which cannot be null. Currently, only the GMT format is supported. For example,
Thu, 17 Mar 2018 18:00:00 GMT. If the difference between the request time and the server time exceeds 15 minutes, system considers the request as invalid and returns error 400.
CanonicalizedHeadersindicates a combination of fields started with
x-acs-in the HTTP request.
CanonicalizedResourceindicates the uniform resource identifier (URI) of the resource in the HTTP request. For example,
Before signature verification, canonicalized headers (headers started with
x-acs-) must meet the following specifications:
Convert the names of all HTTP request headers started with
x-acs-to lowercase letters. For example, convert
x-acs-meta-name: TaoBao. According to Alibaba Cloud specifications, the names of request headers are case-insensitive. However, we recommend that you use the lowercase letters.
If the value part of a common request header is too long, replace the
\fseparators with spaces.
All HTTP request headers obtained in the previous step and compliant with Alibaba Cloud specifications are sorted in the ascending alphabetical order.
Delete any space at either side of a separator between request header and content. For example, convert
Separate all headers and contents with the
\nseparator to form the final canonicalized headers.
Canonicalized resource indicates that the user wants to access the resource’s specification description. Sort sub-resources and query in the ascending alphabetical order, and separate them by using the
& separator to generate a sub-resource string (all parameters after
Canonicalized resource format is as follows: