All Documents
Current Document
Content is empty
If you don't find the content you expect, please try another search term
Content is empty
If you don't find the content you expect, please try another search term
Last updated:2026-03-18 14:12:49
Kingsoft Cloud Monitor APIs use the AWS Signature Version 4 protocol (HMAC-SHA256) to authenticate requests. This ensures that requests are encrypted and verified against your secret access key.
GET Requests: The signature is included in the query string.
POST Requests: The signature is typically included in the Authorization HTTP header.
The signing process involves creating a Canonical Request, generating a String to Sign, and finally calculating the Signature.
Format the HTTP request into a standard string to ensure consistent hashing.
text
编辑
CanonicalRequest =
HTTPRequestMethod + '\n' +
CanonicalURI + '\n' +
CanonicalQueryString + '\n' +
CanonicalHeaders + '\n' +
SignedHeaders + '\n' +
HexEncode(Hash(RequestPayload))Detailed Steps:
HTTP Method: Uppercase method name (e.g., GET, POST) followed by a newline.
Canonical URI: The absolute path of the URI, URL-encoded. Use / if empty. Followed by a newline.
Canonical Query String:
URL-encode each parameter name and value.
Sort parameters by ASCII byte order of the name.
Join name-value pairs with = and pairs with &.
Followed by a newline.
Canonical Headers:
Convert header names to lowercase.
Trim whitespace from values.
Format: lowercase-header-name:value\n.
Sort headers by name.
Required Headers: host and x-amz-date (or date) must be included.
Signed Headers: A semicolon-separated list of lowercase header names used in the canonical headers (e.g., host;x-amz-date).
Hashed Payload:
Calculate the SHA-256 hash of the request body (payload).
Encode the result as a lowercase hexadecimal string.
Note: For GET requests with no body, use the hash of an empty string.
Construct the string that will be signed using the canonical request hash.
text
编辑
StringToSign =
Algorithm + '\n' +
RequestDate + '\n' +
CredentialScope + '\n' +
HashedCanonicalRequestAlgorithm: AWS4-HMAC-SHA256
RequestDate: ISO 8601 basic format (YYYYMMDD'T'HHMMSS'Z').
CredentialScope: YYYYMMDD/region/service/aws4_request
YYYYMMDD: Date derived from the request date.
region: The target region (e.g., cn-beijing-1).
service: The service name (e.g., monitor).
HashedCanonicalRequest: The SHA-256 hash (hex encoded) of the Canonical Request from Step 1.
Derive a signing key from your Secret Access Key and calculate the final signature.
1. Derive the Signing Key:
Do not use your Secret Key directly. Instead, derive it using HMAC-SHA256:
python
编辑
kSecret = "Your_Secret_Access_Key"
kDate = HMAC("AWS4" + kSecret, Date) # Date is YYYYMMDD
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service) # Service is "monitor"
kSigning = HMAC(kService, "aws4_request")Note: The result of each HMAC step is raw binary data, not hex-encoded.
2. Calculate Signature:
python
编辑
Signature = HexEncode(HMAC(kSigning, StringToSign))Use the kSigning key derived above.
Use the StringToSign from Step 2.
Output the result as a lowercase hexadecimal string.
Add the calculated signature to the Authorization header:
text
编辑
Authorization: AWS4-HMAC-SHA256 Credential=ACCESS_KEY/DATE/REGION/SERVICE/aws4_request, SignedHeaders=HOST;X-AMZ-DATE, Signature=SIGNATURE_VALUEAppend the signature and related parameters to the URL:
text
编辑
? ... &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=ACCESS_KEY/DATE/REGION/SERVICE/aws4_request &X-Amz-Date=YYYYMMDDTHHMMSSZ &X-Amz-SignedHeaders=host &X-Amz-Signature=SIGNATURE_VALUETime Synchronization: Ensure your client machine's clock is synchronized with NTP. Requests with timestamps too far in the past or future will be rejected (SignatureExpired).
Secret Key Security: Never expose your Secret Access Key in client-side code or public repositories.
HTTPS: Always use HTTPS to protect your signature and data in transit.
Pure Mode