DMS performs identity authentication on each access request. Therefore, whether submitted through HTTP or HTTPS, a request must contain Signature information. DMS uses AccessKey ID and AccessKey Secret to authenticate the request sender.

AccessKey ID and AccessKey Secret are officially issued to visitors by Alibaba Cloud. Visitors can apply for and manage them on the Alibaba Cloud official website. Where AccessKey ID identify the visitor's identity. AccessKey Secret is used to encrypt the signature string on the client side and to verify the signature string on the server side. The accesskey secret must be kept strictly confidential.

When you access DMS, you must use the following method to sign the request.

  1. Create a canonicalized query string by arranging the request parameters.
    1. Sort parameters: Sort all request parameters in the request (including common request parameters and custom parameters of the interface, but does not include common request parameters in Signature parameter).
      Note When you use the GET method to submit a request, the request parameters are included in the URL following question mark (?) The portion followed by the and(&) character).
    2. Encode parameters: Perform URL encoding for names and values of sorted request parameters by using the UTF-8 character set.
      • For characters A-Z, a-z, 0-9, hyphens (-), underscores (_), periods (.), And tildes (~) without coding.
      • Other characters are encoded in the %XY format, where XY is the hexadecimal representation of a character in American Standard Code for Information Interchange (ASCII). For example, the English double quotation mark (") is encoded as % 22.
      • Extended UTF-8 characters are encoded in the %XY%ZA… format.
      • The English space () must be encoded into % 20 instead of the plus sign (+). The encoding method and the general use of application/x-www-form-urlencoded the encoding method is different. If this encoding method is used, encode the encoding method first, and then replace the plus sign (+) % 20 replace the asterisk (*) with % 2A, % 7E replace with a tilde (~) to conform to the encoding rules described above. You can use the following percentEncode () method to implement this algorithm.
      private static final String ENCODING = "UTF-8";
      private static String percentEncode(String value) throws UnsupportedEncodingException {
      return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
    3. Associate the encoded parameter names with their encoded values separately by using equal signs (=).
    4. Sort the parameter name and value pairs connected by equal signs in the order specified in sort parameters and connect the pairs with ampersands (&) to produce the canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string. The steps to create a string-to-sign are as follows:
    HTTPMethod + "&" +
    percentEncode("/") + "&" +
    In the preceding rules,
    • HTTPMethod: indicates the HTTP method used to submit the request, such as GET.
    • percentEncode("/") follow the URL encoding rules described in step 1 to encode "/" the value obtained by encoding, namely % 2F.
    • percentEncode(CanonicalizedQueryString): encode the canonicalized query string by following the URL encoding rules described in step 1.
  3. Calculate the HMAC value of the string-to-sign based on RFC 2104.
    Note The Key used for signature calculation is your AccessKeySecret followed by the and(&) character (ASCII:38). The algorithm used to calculate your signature is HMAC-SHA1.
  4. Encode the HMAC value in Base64 to obtain the signature string.
    Note When the obtained signature value is submitted to the ECS server as the final request parameters value, RFC3986 to perform URL encoding.
  5. Add the Signature value to the request parameters as the Signature parameter. This completes the request Signature.


To DescribeRegions as an example. Assume that the AccessKey Id for testid, AccessKey Secret for testsecret. The original request URL is as follows: TimeStamp=2016-02-23T12:46:24Z&Format=XML&AccessKeyId=testid&Action=DescribeRegions&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad8******&Version=2014-05-26&SignatureVersion=1.0

The calculated string to be signed. StringToSign for:


Because AccessKey Secret for testsecret the Key used for HMAC calculation is testsecret& the calculated signature value is length=.

Add this Signature value to the request as the Signature parameter. The URL of the signed request is as follows: SignatureVersion=1.0&Action=DescribeRegions&Format=XML&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad8******&Version=2014-05-26&AccessKeyId=testid&Signature=CT9X0VtwR86fNWSnsc6v8YGOjuE%3D&SignatureMethod=HMAC-SHA1&TimeStamp=2016-02-23T12%3A46%3A24Z