In Object Storage Service (OSS), using the Authorization header of HTTP requests is the most common method of providing authentication information. Except for POST requests and requests that are signed by using query parameters, all OSS operations use the Authorization header for authentication. This topic describes how to include a V4 signature in the Authorization header.
Use OSS SDKs to automatically implement V4 signatures
OSS SDKs support the automatic implementation of V4 signatures. We recommend that you use OSS SDKs to initiate requests. This eliminates the need to manually calculate signatures. For more information about how to sign requests by using the V4 signature algorithm when you use OSS SDKs for different programming languages, see the sample code of OSS SDKs. The following table provides references to the sample code used to sign requests by using the V4 signature algorithm when you use OSS SDKs for different programming languages.
OSS SDK | Sample code |
Java | |
PHP | |
Node.js | |
Browser.js | |
Python | |
Go | |
C++ | |
C |
Calculation of the Authorization header
Separate the signature algorithm version and signature information in the Authorization
header with a space. The following table describes the components of the Authorization header.
Component | Description |
Signature algorithm version | The algorithm that is used to calculate the signature. Valid value: OSS4-HMAC-SHA256. |
Signature information | The parameters used to calculate the signature. The signature information is in the form of key-value pairs. Separate key-value pairs with commas (,), and connect keys and values with equal signs (=). The keys in the signature information include two required fields (
|
Format
Authorization: "OSS4-HMAC-SHA256 Credential=" + AccessKeyId + "/" + SignDate + "/" + SignRegion + "/oss/aliyun_v4_request, " + [ "AdditionalHeaders=" + AdditionalHeadersVal + ", " ] + "Signature=" + SignatureVal
Example
Authorization: OSS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20231203/cn-hangzhou/oss/aliyun_v4_request, AdditionalHeaders=host;userdefine, Signature=34b48302e7b5fa45bde8084f4b7868a86f0a534bc59db6670ed5711ef69dc6f7
When you send a request by using the temporary access credentials obtained from Security Token Service (STS), you must add the obtained security token to the request headers by specifying the x-oss-security-token:security-token
header. For more information about how to obtain a security token, see AssumeRole.
Signature calculation process
Step 1: Create a canonical request
Step 2: Create a string to sign
Step 3: Calculate the signature
Signature calculation example
In this example, PutObject is used to describe how to include a V4 signature in the Authorization header.
Parameters
Parameter
Example
AccessKeyId
accesskeyid
AccessKeySecret
accesskeysecret
Timestamp
20231203T121212Z
Bucket
examplebucket
Object
exampleobject
Region
cn-hangzhou
PutObject
PUT /exampleobject HTTP/1.1 Content-MD5: eB5eJF1ptWaXm4bijSPyxw Content-Type: text/html Date: Sun, 03 Dec 2023 12:12:12 GMT Host: examplebucket.oss-cn-hangzhou.aliyuncs.com Authorization: SignatureToBeCalculated x-oss-date: 20231203T121212Z x-oss-meta-author: alice x-oss-meta-magic: abracadabra x-oss-content-sha256: UNSIGNED-PAYLOAD
To include a V4 signature in the Authorization header, perform the following steps:
Create a canonical request.
PUT /examplebucket/exampleobject content-md5:eB5eJF1ptWaXm4bijSPyxw content-type:text/html host:examplebucket.oss-cn-hangzhou.aliyuncs.com x-oss-content-sha256:UNSIGNED-PAYLOAD x-oss-date:20231203T121212Z x-oss-meta-author:alice x-oss-meta-magic:abracadabra host UNSIGNED-PAYLOAD
Create a string to sign.
OSS4-HMAC-SHA256 20231203T121212Z 20231203/cn-hangzhou/oss/aliyun_v4_request 129b14df88496f434606e999e35dee010ea1cecfd3ddc378e5ed4989609c1db3
Calculate the signature.
Calculate the signing key.
NoteFor readability, the following example shows the Base64-encoded value of the signing key.
WVjaYR8lCj9YC5PUS2RSZQANYbuh9DhMFxjU1NtZKfc=
Calculate the signature.
4b663e424d2db9967401ff6ce1c86f8c83cabd77d9908475239d9110642c63fa
Add the signature to the Authorization header.
OSS4-HMAC-SHA256 Credential=accesskeyid/20231203/cn-hangzhou/oss/aliyun_v4_request,AdditionalHeaders=host,Signature=4b663e424d2db9967401ff6ce1c86f8c83cabd77d9908475239d9110642c63fa