ApsaraDB for MongoDB performs identity authentication on each access request. Therefore, all HTTP and HTTPS requests must contain the signature information. ApsaraDB for MongoDB implements symmetric encryption through the Access Key ID and Access Key secret to authenticate the request sender.

AccessKey pairs are issued by Alibaba Cloud. You can visit the Alibaba Cloud International site (alibabacloud.com) to apply for and manage an AccessKey pair. The AccessKey ID is used to verify the identity of the user, whereas the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential. To sign a request, perform the following steps:

  1. Create a canonicalized query string by arranging the request parameters.
    1. Arrange the request parameters, including all common request parameters and operation-specific parameters except Signature, in alphabetical order.
      Note When you use the GET method to submit a request, the request parameters are included as a part of the URI. The request parameters in the URI are between the question mark (?) and the ampersand (&).
    2. Encode the name and value of each request parameter. URL encode parameter names and values based on the UTF-8 character set. The URL encoding rules are described as follows:
      1. Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      2. Other characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      3. Extended UTF-8 characters are encoded in the %XY%ZA… format. Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
        Note Generally, all the libraries that support URL encoding, such as java.net.URLEncoder, perform encoding based on the rule of the application/x-www-form-urlencoded MIME type. If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with a tilde (~) to conform to the encoding rules.
    3. Connect the encoded name and value of each parameter with an equal sign (=).
    4. Arrange the encoded parameters in alphabetical order based on the first letter of the name of each parameter and connect the parameters with ampersands (&) to create a canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:
    HTTPMethod + "&" +
    percentEncode("/") + "&" +


    • HTTPMethod: specifies the HTTP method that is used to send a request, such as GET.
    • percentEncode("/"): encodes the forward slashes (/) based on the URL encoding rules described in Step 1.ii. The encoded value of a forward slash (/) is %2F.
    • percentEncode(CanonicalizedQueryString): encodes the canonicalized query string that is created in Step 1 based on the URL encoding rules described in Step 1.ii.
  3. Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on the HMAC algorithm that is described in RFC 2104.
    Note The key that is used to calculate the signature is the AccessKey secret appended with an ampersand (&) (ASCII: 38). Secure Hash Algorithm 1 (SHA1) is used in the calculation.
  4. Encode the HMAC value into a string according to Base64 encoding rules. You can then obtain the signature value.
  5. Add this signature value to the request parameters as the value of the Signature parameter. You have now completed the request signing process.
    Note When the signature string is submitted to the RDS server as the final request parameter value, the string must be URL-encoded like other parameters based on rules defined in RFC 3986.
    In this example, the DescribeDBInstances operation is called. The following code is a request URL that does not contain the Signature parameter:
    The following string is the string-to-sign:
    Assume that the AccessKey ID is testid, the AccessKey secret is testsecret, and the key used for HMAC calculation is testsecret&. The following signature string is obtained:
    The following URL is the signed request URL after the Signature parameter is added: