You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller.
Signature
A signature consists of two parts: common request header and CanonicalizedResource. The request body is not included in the signature. The common request header contains HTTP header parameters and Alibaba Cloud protocol header parameters.
AccessKey pairs are issued by Alibaba Cloud. You can visit the official Alibaba Cloud
website to apply for and manage an AccessKey pair. An AccessKey pair consists of an
AccessKey ID
and an AccessKey secret
. The AccessKey ID
is used to verify the identity of the user, while the AccessKey secret
is used to encrypt and verify the signature string. You must keep your AccessKey
secret strictly confidential.
Container Registry verifies each access request it receives. Therefore, all requests
sent to Container Registry must contain signature information. Container Registry
implements symmetric encryption with an AccessKey pair that consists of an AccessKey ID
and an AccessKey secret
to verify the identity of the request sender. If the calculated verification code
is the same as the one provided, the request is considered valid. Otherwise, Container
Registry rejects the request and returns the HTTP error code 403.
You must add the signature to the HTTP header in the following format: Authorization: acs [Access Key Id]:[Signature]
.
Signature calculation method
The following shows how to calculate the signature:
Signature = base64(hmac-sha1(VERB + "\n"
+ ACCEPT + "\n" +
+ Content-MD5 + "\n"
+ Content-Type + "\n"
+ Date + "\n"
+ CanonicalizedHeaders + "\n"
+ CanonicalizedResource))
VERB
indicates the HTTP method. Example: PUT.Accept
indicates the response type required by the client. Valid values: application/json and application/xml.Content-MD5
indicates the MD5 hash value of the request content.Content-Type
indicates the type of request content.Date
indicates the time when the request was sent. This parameter is required. The time must be in GMT. If the deviation between the time when a request was sent and the time when the request was received exceeds 15 minutes, the system determines that the request is invalid and returns the error code 400. Example:Thu, 17 Mar 2018 18:00:00 GMT
.CanonicalizedHeaders
indicates the header fields that are prefixed withx-acs-
in the request.CanonicalizedResource
indicates the URI of the requested resource. Example:/namespaces
.
CanonicalizedHeaders
CanonicalizedHeaders (headers that start with x-acs-
) must comply with the following specifications before the signature is verified:
- Convert the names of all HTTP request headers prefixed with
x-acs-
into lowercase letters. For example, you must convertX-ACS-Meta-Name: TaoBao
intox-acs-meta-name: TaoBao
. Header field names are case-insensitive. We recommend that you use lowercase letters. - If a header field value is too long, replace specific delimiters with spaces. The
delimiters include
\t
,\n
,\r
, and\f
. - Sort all HTTP request headers that are obtained from the preceding step in alphabetical order.
- Delete all spaces on each side of a delimiter between the request header and its content.
For example, convert
x-acs-meta-name: TaoBao,Alipay
intox-acs-meta-name:TaoBao,Alipay
. - Separate all headers and content with delimiters
\n
to form the final CanonicalizedHeaders.
CanonicalizedResource
CanonicalizedResource represents the specification description of the resource to
be accessed. Sort sub-resources along with query parameters in alphabetical order
and separate them with ampersands (&) to generate a sub-resource string. The sub-resource
string consists of all parameters that follow the question mark (?)
.
http://cr.cn-hangzhou.aliyuncs.com/repository?name=repository1&namespace=namespace1
The value of CanonicalizedResource must be the following string:
/repository? name=repository1&namespace=namespace1