You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller. Each API request must contain a signature, regardless of whether the request is sent over HTTP or HTTPS.
Overview
To sign a RESTful API request, you must add the Authorization field to the request header in the following format:
Authorization:acs:AccessKeyId:Signature
where:
acs: the abbreviation for Alibaba Cloud Service. This field is fixed and cannot be modified.
AccessKeyId: the AccessKey ID that is used to call the API operation.
Signature: the signature generated after the request is symmetrically encrypted by using the AccessKey secret.
Procedure
The signature algorithm complies with RFC 2104 HMAC-SHA1 specifications. The AccessKey secret is used to calculate the hash-based message authentication code (HMAC) value of the encoded and sorted query string. The HMAC value is used as the signature string. Request signatures include operation-specific parameters. The signature of a request varies based on the request parameters.
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )
To calculate a signature, perform the following steps:
Create a string-to-sign.
The string-to-sign is a string assembled by using related elements in an API request. The string is used to calculate the signature and contains the following elements:
HTTP header
Alibaba Cloud protocol headers (CanonicalizedHeaders)
Canonicalized resource (CanonicalizedResource)
Body
The string-to-sign must be in the following format:
StringToSign = // HTTP headers HTTP-Verb + "\n" + Accept + "\n" + Content-MD5 + "\n" +// The request body that is encrypted by using the MD5 algorithm. Content-Type + "\n" + Date + "\n" + // Canonicalized headers of Alibaba Cloud (CanonicalizedHeaders). CanonicalizedHeaders + // Canonicalized resource (CanonicalizedResource). CanonicalizedResource
Example:
Original request
POST /stacks?name=test_alert&status=COMPLETE HTTP/1.1 Host: ***.aliyuncs.com Accept: application/json Content-MD5: ChDfdfwC+Tn874znq7****== Content-Type: application/x-www-form-urlencoded;charset=utf-8 Date: Thu, 22 Feb 2018 07:46:12 GMT x-acs-signature-nonce: 550e8400-e29b-41d4-a716-44665544**** x-acs-signature-method: HMAC-SHA1 x-acs-signature-version: 1.0 x-acs-version: 2016-01-02
Canonicalized request
POST application/json ChDfdfwC+Tn874znq7****== application/x-www-form-urlencoded;charset=utf-8 Thu, 22 Feb 2018 07:46:12 GMT x-acs-signature-nonce: 550e8400-e29b-41d4-a716-44665544**** x-acs-signature-method:HMAC-SHA1 x-acs-signature-version:1.0 x-acs-version:2016-01-02 /stacks?name=test_alert&status=COMPLETE
Add the signature.
Add the calculated signature string to the request header in the following format:
Authorization: acs AccessKeyId:Signature
HTTP header
The HTTP headers in a string-to-sign must contain the following parameters. The parameters must be arranged in alphabetical order. If a parameter has no value, set the value to \n
.
Accept: the type of the response that is required by the client. Valid values:
application/json
andapplication/xml
.Content-MD5: the Base64-encoded 128-bit MD5 hash value of the HTTP request body.
Content-Type: the type of the HTTP request body. The type is defined in RFC 2616.
Date: the GMT time that complies with the HTTP 1.1 protocol. Example:
Wed, 05 Sep. 2012 23:00:00 GMT
.NoteYou do not need to specify your AccessKey pair in the HTTP header.
Example:
Original header
Accept: application/json Content-MD5: ChDfdfwC+Tn874znq7****== Content-Type: application/x-www-form-urlencoded;charset=utf-8 Date: Thu, 22 Feb 2018 07:46:12 GMT
Canonicalized header
application/json ChDfdfwC+Tn874znq7****== application/x-www-form-urlencoded;charset=utf-8 Thu, 22 Feb 2018 07:46:12 GMT
Alibaba Cloud protocol headers (CanonicalizedHeaders)
Alibaba Cloud canonicalized headers are non-standard HTTP headers. These headers are parameters that are prefixed with x-acs-
in a request. A request must contain the following parameters:
x-acs-signature-nonce: a unique random number used to prevent replay attacks. You must use different numbers for different requests.
x-acs-signature-version: the version of the signature encryption algorithm. Set the value to
1.0
.x-acs-version: the version number of the API. For more information, see the API documentation of each service.
To construct Alibaba Cloud canonicalized headers, perform the following steps:
Convert the names of all HTTP request headers prefixed with
x-acs-
to lowercase letters. For example, convertX-acs-OSS-Meta-Name: TaoBao
tox-acs-oss-meta-name: TaoBao
.Sort all HTTP request headers that are obtained from the preceding step in alphabetical order.
Delete all spaces on each side of the delimiter between each header and value. For example, convert
x-acs-oss-meta-name: TaoBao,Alipay
tox-acs-oss-meta-name:TaoBao,Alipay
.Separate all headers and content with delimiters (
\n
) to form the final canonicalized headers.
Example:
Original header
x-acs-signature-nonce: 550e8400-e29b-41d4-a716-44665544**** x-acs-signature-method: HMAC-SHA1 x-acs-signature-version: 1.0 x-acs-version: 2016-01-02GMT
Canonicalized header
x-acs-signature-nonce:550e8400-e29b-41d4-a716-44665544**** x-acs-signature-method:HMAC-SHA1 x-acs-signature-version:1.0 x-acs-version:2016-01-02
Canonicalized resource (CanonicalizedResource)
CanonicalizedResource represents the specification description of the resource that you want to access. Arrange sub-resources and query parameters in alphabetical order. Then, separate the parameters with ampersands (&)
to generate a sub-resource string. The sub-resource string consists of all parameters that follow the question mark (?)
.
Example:
Original request
/stacks?status=COMPLETE&name=test_alert
Canonicalized request
/stacks?name=test_alert&status=COMPLETE
Body
Encrypt the request body by using the MD5 algorithm, encode the encrypted request body in Base64, and then add the Base64-encoded string to the value of the Content-MD5 parameter.