You need to enable JavaScript to run this app.
导航

签名示例

最近更新时间2023.03.31 16:49:06

首次发布时间2021.11.10 18:21:34

本文以请求IAM的接口为例,示例中AK/SK不具备权限,仅作demo示范,实际请求请使用真实创建的AK/SK。

步骤一:原始请求

AK:AKLTMjI2ODVlYzI3ZGY1NGU4ZjhjYWRjMTlmNTM5OTZkYzE
SK:TnpCak5XWXpZV1U0WkRaaE5ERmxaR0ZpTmpjeVkyUXlZek0wTWpJMU1qWQ==

GET https://iam.volcengineapi.com/?Action=ListUsers&Version=2020-04-01&Limit=10&Offset=0 HTTP/1.1
Host: iam.volcengineapi.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Content-Sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Date:20200401T081805Z

步骤二:创建规范请求

规范请求如下:

CanonicalRequest = HTTPRequestMethod + '\n' + CanonicalURI + '\n' + CanonicalQueryString + '\n' + CanonicalHeaders + '\n' + SignedHeaders + '\n' + HexEncode(Hash(RequestPayload))

HTTPRequestMethod

GET

CanonicalURI

/

CanonicalQueryString

Action=ListUsers&Limit=10&Offset=0&Version=2020-04-01

CanonicalHeaders
将需要参与签名的header的key全部转成小写,然后以ASCII排序后以key-value的方式组合后换行构建。

content-type:application/x-www-form-urlencoded; charset=utf-8
host:open.volcengineapi.com
x-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-date:20200401T081805Z

SignedHeaders

content-type;host;x-content-sha256;x-date

HexEncode(Hash(RequestPayload))
无论是GET请求还是POST请求都有RequestPayload,其中此请求中的RequestPayload是空字符串。
这里的hash算法代指:sha256

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

最终CanonicalRequest

GET
/
Action=ListUsers&Limit=10&Offset=0&Version=2020-04-01
content-type:application/x-www-form-urlencoded; charset=utf-8
host:open.volcengineapi.com
x-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-date:20200401T081805Z

content-type;host;x-content-sha256;x-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

步骤三:创建待签字符串

StringToSign = Algorithm + '\n' + RequestDate + '\n' + CredentialScope + '\n' + HexEncode(Hash(CanonicalRequest))

Algorithm
目前是一个固定的字符串。

HMAC-SHA256

RequestDate
请求发起的时间,与X-Date相同。

20200401T081805Z

CredentialScope
指代信任状,格式为:YYYYMMDD / region / service /request。
此请求信息如下:

20200401/cn-north-1/iam/request

HexEncode(Hash(CanonicalRequest))

761c3301e068aa7e13d57ec6ed149b69a159baade9e5cfacdc9cd88954a4f611

最终StringToSign

HMAC-SHA256
20200401T081805Z
20200401/cn-north-1/iam/request
761c3301e068aa7e13d57ec6ed149b69a159baade9e5cfacdc9cd88954a4f611

步骤四:构建签名

HMAC这里代指HMAC-SHA256。
Signingkey示例

HMAC(HMAC(HMAC(HMAC(kSecret,"20200401"),"cn-north-1"),"iam"),"request")

以下示例显示了此HMAC哈希操作序列生成的派生签名密钥。这说明了此二进制签名密钥中每个字节的十六进制表示形式。

e7d2eb478084eaaaf8f85c161de16f13d97e52e77bd0415f33e7feb561cccffd

Signature示例

signature = HexEncode(HMAC(Signingkey, StringToSign))

最终的结果如下:

88dd0a9ea555d8609ec83eb46054b52f6cd4f79b8d5094fa784c66fa3f2b9e1d

步骤五:将签名添加到请求当中

在请求中增加Authorization的header如下:

Authorization: HMAC-SHA256 Credential={AccessKeyId}/{CredentialScope}, SignedHeaders={SignedHeaders}, Signature={Signature}

完整结果如下:

Authorization: HMAC-SHA256 Credential=AKLTMjI2ODVlYzI3ZGY1NGU4ZjhjYWRjMTlmNTM5OTZkYzE/20200401/cn-north-1/iam/request, SignedHeaders=content-type;host;x-content-sha256;x-date, Signature=88dd0a9ea555d8609ec83eb46054b52f6cd4f79b8d5094fa784c66fa3f2b9e1d