Call an API operation - - Alibaba Cloud Documentation Center

To send a Smart Access Gateway (SAG) API request, you must send an HTTP GET request to the SAG endpoint. You must add the request parameters that correspond to the API operation being called. After you call the API operation, the system returns a response. Requests and responses are encoded in UTF-8.

Request structure

SAG API operations use the RPC protocol. You can call SAG API operations by sending HTTP GET requests.

The following request syntax is used:

http://endpoint/?Action=xx&parameters

Parameter descriptions:

Endpoint: the endpoint of the SAG API. The endpoint is smartag.cn-shanghai.aliyuncs.com.
Action: the name of the operation being performed. For example, to query SAG instances that you have created, you must set the Action parameter to DescribeSmartAccessGateways.
Version: the version of the API that you want to use. The current version of the SAG API is 2018-03-13.
Parameters: the request parameters for the operation. Separate multiple parameters with ampersands (&).
Request parameters include both common parameters and operation-specific parameters. Common parameters include the API version number and authentication information.

The following example demonstrates how to call the DescribeSmartAccessGateways operation in SAG:

The sample request is formatted to improve readability.



https://smartag.cn-shanghai.aliyuncs.com/?Action=DescribeSmartAccessGateways
&Format=xml
&Version=2018-03-13
&Signature=xxxx%xxxx%3D
&SignatureMethod=HMAC-SHA1
&SignatureNonce=15215528852396
&SignatureVersion=1.0
&AccessKeyId=key-test
&Timestamp=2018-04-01T12:00:00Z

API authorization

To ensure the security of your account, we recommend that you use a RAM user to call API operations. Before you call an API operation in SAG as a RAM user, you must create and attach the required policies to the RAM user. For more information, see RAM authentication.

Signature

You must sign all API requests to ensure security. SAG uses the request signature to verify the identity of the API caller.

SAG implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair is an identity credential issued to Alibaba Cloud accounts and RAM users that is similar to a logon username and password. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, while the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.

To sign a request, perform the following steps:

Construct a normalized request string (Canonicalized Query String) using request parameters.
1. Request parameters are ordered alphabetically by their names (including public request parameters and user-defined parameters for the given request interfaces described in this document, but excluding the Signature parameter mentioned in public request parameters).
  
  Notice For a request submitted using the GET method, these parameters constitute the parameter section of the request URL (that is, the section in the URL following “?” and connected by “&”).
2. The name and value of each request parameter are encoded. The names and values must be URL-encoded using the UTF-8 character set. The URL encoding rules are as follows:
  1. The characters A-Z, a-z, 0-9, and “-“, “_”, “.”, “~” are not encoded.
  2. Other characters are encoded in “%XY” format, with XY representing the characters’ ASCII code in hexadecimal notation. For example, the English double quotes (“) are encoded as %22.
  3. Extended UTF-8 characters are encoded in “%XY%ZA…” format.
  4. It must be noted that an English space is encoded as %20, rather than the plus sign (+).
    
    Notice Generally, libraries that support URL encoding (such as Java’s java.net.URLEncoder) encode characters according to the rules for the MIME-type “application/x-www-form-urlencoded”. If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and change %7E back to the tilde (~) to conform to the preceding encoding rules.
3. Connect the encoded parameter names and values with the equal sign (=).
4. Sort the parameter name and value pairs connected by equal signs in alphabetical order, and connect them with the (&) symbol to produce the Canonicalized Query String.
Follow the following rules to construct the string used for signature calculation by using the Canonicalized Query String constructed in the previous step:
```
StringToSign=
HTTPMethod + "&" +
percentEncode("/") + "&" +
percentEncode(CanonicalizedQueryString)
```
Parameter description:
- HTTPMethod: the HTTP method used for request submission, for example, GET.
- percentEncode(“/“): the coded value for the character “/“ according to the URL encoding rules described in 1.b, namely, “%2F”.
- percentEncode(CanonicalizedQueryString): the encoded string of the Canonicalized Query String constructed in Step 1, produced by following the URL encoding rules described in 1.b.
Use the preceding signature sting to calculate the signature’s HMAC value based on RFC2104 definitions.

Notice The Key used for calculating the signature is the Access Key Secret held by you, which ends with the “&” character (ASCII:38) and is based on the SHA1 hashing.
According to Base64 encoding rules, encode the preceding HMAC value into a string, which gives you the signature value.
Add the signature to the request as the Signature parameter. The result is the signed API request.
Note When the signature is submitted to SAG as the final request parameter value, the signature must be URL-encoded based on the rules defined in RFC 3986. The following example shows the request URL of the DescribeSmartAccessGateways operation before the request is signed:
```
http://smartag.cn-shanghai.aliyuncs.com/?Timestamp=2016-04-23T12:46:24Z&Format=XML&AccessKeyId=testid&Action=DescribeSmartAccessGateways&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2018-03-13&SignatureVersion=1.0
```

The following string is the string-to-sign:

GET&%2F&AccessKeyId%3Dtestid&Action%DescribeSmartAccessGateways&Format%3DXML&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3D3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&SignatureVersion%3D1.0&Timestamp%3D2018-04-23T12%253A46%253A24Z&Version%3D2018-03-13

In this example, the AccessKey ID is testid and the AccessKey secret is testsecret. The secret key that is used to calculate the HMAC value of the string-to-sign is testsecret&. The signature is CT9X0VtwR86fNWSnsc6v8YGOjuE=.
The following URL is the signed request URL after the signature is added to the request as the Signature parameter:
```
http://smartag.cn-shanghai.aliyuncs.com/?Timestamp=2016-04-23T12%3A46%3A24Z&Format=XML&AccessKeyId=testid&Action=DescribeSmartAccessGateways&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&SignatureVersion=1.0&Version=2018-03-13&Signature=CT9X0VtwR86fNWSnsc6v8YGOjuE%3D
```