Signature method

Last updated:2021-05-27 17:52:42

Signature Version 4 is used for API operations of Kingsoft Cloud Billing Center. For more information, see Signature Version 4 signing process. Signatures can be added to HTTP GET and POST requests.

  • In a GET request, all request parameters including Signature are placed in a URL. The URL length is limited.
  • In a POST request, Signature is added to the Authorization header.

Signing process

1. Create a canonical request

Canonicalize a request so that the signing process is standardized. Pseudocode is as follows:

CanonicalRequest = HTTPRequestMethod + '\n' + CanonicalURI + '\n' + CanonicalQueryString + '\n' + CanonicalHeaders + '\n' + SignedHeaders + '\n' + HexEncode(Hash(RequestPayload))

Hash indicates the hash algorithm. Currently, the SHA-256 algorithm is used. HexEncode indicates a function that returns the hexadecimal encoding of the hash value in lowercase letters.

The procedure is as follows:

(1) Extract the HTTP request method, for example, GET, PUT, or POST, and add a newline character to the end.

(2) URI-encode the absolute path of the URI to obtain a canonical URI. If the absolute path is empty, use a forward slash (/) and add a newline character to the end.

(3) Construct a canonical query string and add a newline character to the end.

  • URI-encode all parameter names and values in the query string. In the GET request method, URI-encode all the parameters, including the hash algorithm, credential scope, signing date, and signed headers.
  • Sort parameter names by ASCII byte.
  • Connect each parameter name and its value with an equal sign (=), and connect parameter pairs with ampersands (&) according to the sorting sequence.

(4) Construct canonical headers and add a newline character to the end. Pseudocode is as follows:

CanonicalHeaders = CanonicalHeadersEntry0 + CanonicalHeadersEntry1 + ... + CanonicalHeadersEntryN


CanonicalHeadersEntry = Lowercase(HeaderName) + ':' + Trimall(HeaderValue) + '\n'

lowercase indicates a function that converts all header names to lowercase. The trimall function is used to remove spaces before and after a header value and convert consecutive spaces in the header value into a single space, without removing any spaces between double quotation marks (" "). The canonical headers are sorted by header name.

(5) Add signed headers and add a newline character to the end.

Signed headers are a list of headers that you included in the canonical headers. By adding signed headers, you specify which headers in the request are part of the signing process. This way, additional headers added by the proxy to the request are ignored. The host and x-amz-date headers must be included if they exist. Pseudocode is as follows:

SignedHeaders = Lowercase(HeaderName0) + ';' + Lowercase(HeaderName1) + ";" + ... + Lowercase(HeaderNameN)

(6) Perform a hash operation on the request body by using the SHA256 algorithm, and convert the obtained binary hash value into a lowercase hexadecimal string. Pseudocode is as follows:

HashedPayload = Lowercase(HexEncode(Hash(requestPayload)))

(7) Combine the results of steps (1) to (6) into a string, which is a canonical request.

(8) Perform a hash operation on the canonical request by using the SHA256 algorithm.

2. Create a string-to-sign

The string-to-sign contains metadata of the original request and the canonical request, including the signing algorithm, request date, credential scope, and hash value of the canonical request. Pseudocode is as follows:

StringToSign = Algorithm + '\n' + RequestDate + '\n' + CredentialScope + '\n' + HashedCanonicalRequest

The signing algorithm is AWS4-HMAC-SHA256. The request date is in the format of YYYYMMDD’T’HHMMSS’Z’. The credential scope is in the format of YYYYMMDD/region/service/aws4_request (containing the request date in the ISO 8601 basic format). The hash value of the canonical request is obtained in step (8) of Create a canonical request. Do not add a newline character to the end of the hash value.

3. Calculate a signature

Derive a signing key from the SecretAccessKey, and calculate a signature by using the signing key and the string-to-sign obtained in Create a string-to-sign. The procedure is as follows:

(1) Generate a signing key. Pseudocode is as follows:

kSecret = *Your KSC Secret Access Key*
kDate = HMAC("AWS4" + kSecret, Date)
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service)
kSigning = HMAC(kService, "aws4_request")

The key for each hash operation is generated by using the HMAC-SHA256 algorithm. The key for the first HMAC hash operation is the SecretAccessKey. The data for each hash operation is sequentially the date, region name, service name, and end string in the credential scope. The result of each hash operation is a 256-bit (32-byte) binary hash value, which is not converted into an octal or hexadecimal code.

(2) Calculate a signature. Pseudocode is as follows:

signature = HexEncode(HMAC(derived-signing-key, string-to-sign))

Perform a hash operation on the key (signing key) and data (string-to-sign) by using the HMAC-SHA256 algorithm. The signed binary hash value is converted into a hexadecimal code.

Did you find the above information helpful?

Mostly Unhelpful
A little helpful
Very helpful

What might be the problems?

Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions


Please give us your feedback.


Thank you for your feedback.