Signature method - - Alibaba Cloud Documentation Center

Database Backup (DBS) verifies the identity of each API caller. You must include a signature in each API request regardless of whether the request is sent over HTTP or HTTPS. DBS implements symmetric encryption by using an AccessKey pair to verify the identity of the request sender.

An AccessKey pair consists of an AccessKey ID and an AccessKey secret. Alibaba Cloud issues AccessKey IDs and AccessKey secrets to Alibaba Cloud accounts and RAM users. You can create and manage your AccessKey pairs in the Alibaba Cloud Management Console. The AccessKey ID of an AccessKey pair is used to verify the identity of the request sender. The AccessKey secret is used to encrypt a signature string and verify the signature string on the server. You must strictly keep your AccessKey secret confidential.

To sign a request, perform the following steps:

Create a canonicalized query string by arranging the request parameters.
1. Arrange the request parameters, including all common request parameters and operation-specific parameters except Signature, in alphabetical order.
  
  Notice When you use the GET method to submit a request, you must include the request parameters in the request URL. You must place the request parameters after a question mark (?) and separate parameters with ampersands (&).
2. Encode the name and value of each request parameter. Encode the names and values of all parameters in UTF-8 based on the following rules:
  1. Uppercase letters, lowercase letters, digits, and special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
  2. Other characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
  3. Extended UTF-8 characters are encoded in the %XY%ZA… format.
  4. Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
    
    Notice Most libraries that support URL encoding, such as java.net.URLEncoder, are created based on the encoding rules of application/x-www-form-urlencoded. application/x-www-form-urlencoded is a subtype of Multipurpose Internet Mail Extensions (MIME). If you use java.net.URLEncoder, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with a tilde (~). This way, you can obtain an encoded string that is created based on the preceding encoding rules.
3. Connect the encoded name and value of each parameter with an equal sign (=).
4. Arrange the encoded parameters in alphabetical order based on the first letter of the name of each parameter and connect the parameters with ampersands (&) to create a canonicalized query string.
Use the canonicalized query string to create a string-to-sign based on the following rules:
```
StringToSign=
HTTPMethod + "&" +
percentEncode("/") + "&" +
percentEncode(CanonicalizedQueryString)
```
Parameter description:
- HTTPMethod: specifies the HTTP request method that is used to send a request, such as GET.
- percentEncode("/"): encodes forward slashes (/) based on the URL encoding rules described in Step 1.ii. The encoded value of a forward slash (/) is %2F.
- percentEncode(CanonicalizedQueryString): encodes the canonicalized query string that is created in Step 1 based on the URL encoding rules described in Step 1.ii.
Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on the HMAC algorithm that is described in RFC 2104.

Notice Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value of the string-to-sign. Add an ampersand (&) to the end of your AccessKey secret and then use the result string as the secret key to calculate the HMAC value. The ASCII value of an ampersand (&) is 38.
Encode the HMAC value in Base64 to obtain the signature string.
Add the Signature parameter in the request and specify the signature string that is obtained as the value of the Signature parameter.
Note
Before you add the signature string to the request, encode the signature string based on the RFC 3986 rules.

In this example, the DescribeDBInstances operation is called. The following code is a request URL that does not contain the Signature parameter:
```
http://dbs-api.cn-hangzhou.aliyuncs.com/?Timestamp=2013-06-01T10:33:56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&Version=2014-08-15&SignatureVersion=1.0
```
The following string is the string-to-sign:
```
GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeDBInstances&Format%3DXML&RegionId%3Dregion1&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3DNwDAxvLU6tFE0DVb&SignatureVersion%3D1.0&Timestamp%3D2013-06-01T10%253A33%253A56Z&Version%3D2014-08-15
```
In this example, the AccessKey ID is testid and the AccessKey secret is testsecret. The secret key that you can use to calculate the HMAC value of the string-to-sign is testsecret&. The signature string that is obtained is cNr+cHw3awqsBaWs6J6hcGvnfJE=.
The following URL is the signed request URL after the Signature parameter is added:
```
http://dbs-api.cn-hangzhou.aliyuncs.com/?Timestamp=2013-06-01T10%3A33%3A56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&SignatureVersion=1.0&Version=2014-08-15&Signature=cNr%2bcHw3awqsBaWs6J6hcGvnfJE%3d
```