PolarDB authenticates each access request. Therefore, a request must contain signature information regardless of whether it is sent over HTTP or HTTPS. PolarDB implements symmetric encryption with an AccessKey pair that consists of an AccessKey ID and AccessKey secret to verify the identity of the request sender. The AccessKey ID and AccessKey secret are officially issued by Alibaba Cloud to users. You can request and manage the AccessKey pair on the Alibaba Cloud official website. The AccessKey ID indicates the identity of a user. The AccessKey secret is the key used to encrypt the signature string and verify the signature string on the server. The AccessKey secret must be strictly kept confidential.
Perform the following steps to sign a request:
- Use request parameters to construct a canonicalized query string.
- Sort all request parameters in alphabetical order of parameter names. These parameters
include the common request parameters described in the "Common parameters" topic and
the operation-specific parameters. However, the Signature parameter is not included.
Notice If you use the GET method to send a request, the request parameters are included as a part of the request URL. The request parameters follow the question mark (?) in the request URL and are concatenated with ampersands (&).
- Encode the name and value of each request parameter. The parameter names and values
must be URL-encoded in UTF-8 based on the following encoding rules:
- Do not encode uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and characters including the hyphen (-), underscore (_), period (.), and tilde (~).
- Encode other characters into the %XY format. XY is the hexadecimal value of the ASCII code corresponding to a character. For example, a double quotation mark (") is encoded as %22.
- Extended UTF-8 characters are encoded in the %XY%ZA... format.
- Encode a space as %20 instead of a plus sign (+).
Notice Most libraries that support URL encoding, such as java.net.URLEncoder, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of "application/x-www-form-urlencoded". If you use this encoding method, replace each plus sign (+) with %20, each asterisk (*) with %2A, and %7E with a tilde (~).
- Use an equal sign (=) to connect the name and value of each URL-encoded request parameter as a key-value pair.
- Sort the key-value pairs connected by equal signs (=) in alphabetical order and separate them with ampersands (&) to obtain the canonicalized query string.
- Sort all request parameters in alphabetical order of parameter names. These parameters include the common request parameters described in the "Common parameters" topic and the operation-specific parameters. However, the Signature parameter is not included.
- Use the canonicalized query string to construct the string for signature based on
the following rules:
StringToSign= HTTPMethod + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)
- HTTPMethod: the HTTP method used to submit the request, such as GET.
- percentEncode("/"): the encoded value of a forward slash (/) based on the URL encoding rules described in 1.b. The encoded value is %2F.
- percentEncode(CanonicalizedQueryString): the string encoded by using the canonicalized query string constructed in Step 1. The encoding follows the URL encoding rules described in Step 1.ii.
- Use the preceding string to calculate the hash-based message authentication code (HMAC)
value of the signature as defined in RFC 2104.
Notice The key that is used to calculate the signature is the AccessKey secret appended with an ampersand (&) (ASCII: 38). Secure Hash Algorithm 1 (SHA1) is used in the calculation.
- Use Base64 to encode the HMAC value into a string. This encoded string is the signature.
- Add the signature string to the request as the value of the Signature parameter.
When the signature string is submitted to the PolarDB server as the final value of the request parameter, the string must be URL-encoded as other parameters based on rules defined in RFC 3986.
For example, the request URL without a signature for the DescribeDBClusters operation is:
Assume that the AccessKey ID is testid and the AccessKey secret is testsecret. Then, the Key used to calculate the HMAC value of the signature is testsecret&. The calculated signature string is
The following example shows the request URL with the Signature parameter: