本文以请求IAM的接口为例，示例中AK/SK不具备权限，仅作demo示范，实际请求请使用真实创建的AK/SK。

签名源码示例

以下提供了几种主要语言的签名代码。详情请参见签名源码示例。

• Golang：https://github.com/volcengine/volc-openapi-demos/blob/main/signature/golang/sign.go
• Python：https://github.com/volcengine/volc-openapi-demos/blob/main/signature/python/sign.py
• Java：https://github.com/volcengine/volc-openapi-demos/blob/main/signature/java/Sign.java
• PHP：https://github.com/volcengine/volc-openapi-demos/blob/main/signature/php/sign.php
• Node.js：https://github.com/volcengine/volc-openapi-demos/blob/main/signature/nodejs/sign.js

步骤一：原始请求

AK：AKLTMjI2ODVlYzI3ZGY1NGU4ZjhjYWRjMTlmNTM5OTZkYzE
SK：TnpCak5XWXpZV1U0WkRaaE5ERmxaR0ZpTmpjeVkyUXlZek0wTWpJMU1qWQ==

GET https://iam.volcengineapi.com/?Action=ListUsers&Version=2020-04-01&Limit=10&Offset=0 HTTP/1.1
Host: iam.volcengineapi.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Content-Sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Date:20200401T081805Z

步骤二：创建规范请求

规范请求如下：

CanonicalRequest = HTTPRequestMethod + '\n' + CanonicalURI + '\n' + CanonicalQueryString + '\n' + CanonicalHeaders + '\n' + SignedHeaders + '\n' + HexEncode(Hash(RequestPayload))

HTTPRequestMethod

GET

CanonicalURI

/

CanonicalQueryString

Action=ListUsers&Limit=10&Offset=0&Version=2020-04-01

CanonicalHeaders
将需要参与签名的header的key全部转成小写，然后以ASCII排序后以key-value的方式组合后换行构建。

content-type:application/x-www-form-urlencoded; charset=utf-8
host:open.volcengineapi.com
x-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-date:20200401T081805Z

SignedHeaders

content-type;host;x-content-sha256;x-date

HexEncode(Hash(RequestPayload))
无论是GET请求还是POST请求都有RequestPayload，其中此请求中的RequestPayload是空字符串。
这里的hash算法代指：sha256

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

最终CanonicalRequest

GET
/
Action=ListUsers&Limit=10&Offset=0&Version=2020-04-01
content-type:application/x-www-form-urlencoded; charset=utf-8
host:open.volcengineapi.com
x-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-date:20200401T081805Z

content-type;host;x-content-sha256;x-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

步骤三：创建待签字符串

StringToSign = Algorithm + '\n' + RequestDate + '\n' + CredentialScope + '\n' + HexEncode(Hash(CanonicalRequest))

Algorithm
目前是一个固定的字符串。

HMAC-SHA256

RequestDate
请求发起的时间，与X-Date相同。

20200401T081805Z

CredentialScope
指代信任状，格式为：YYYYMMDD / region / service /request。
此请求信息如下：

20200401/cn-north-1/iam/request

HexEncode(Hash(CanonicalRequest))

761c3301e068aa7e13d57ec6ed149b69a159baade9e5cfacdc9cd88954a4f611

最终StringToSign

HMAC-SHA256
20200401T081805Z
20200401/cn-north-1/iam/request
761c3301e068aa7e13d57ec6ed149b69a159baade9e5cfacdc9cd88954a4f611

步骤四：构建签名

HMAC这里代指HMAC-SHA256。
Signingkey示例

HMAC(HMAC(HMAC(HMAC(kSecret,"20200401"),"cn-north-1"),"iam"),"request")

以下示例显示了此HMAC哈希操作序列生成的派生签名密钥。这说明了此二进制签名密钥中每个字节的十六进制表示形式。

e7d2eb478084eaaaf8f85c161de16f13d97e52e77bd0415f33e7feb561cccffd

Signature示例

signature = HexEncode(HMAC(Signingkey, StringToSign))

最终的结果如下：

88dd0a9ea555d8609ec83eb46054b52f6cd4f79b8d5094fa784c66fa3f2b9e1d

步骤五：将签名添加到请求当中

在请求中增加Authorization的header如下：

Authorization: HMAC-SHA256 Credential={AccessKeyId}/{CredentialScope}, SignedHeaders={SignedHeaders}, Signature={Signature}

完整结果如下：

Authorization: HMAC-SHA256 Credential=AKLTMjI2ODVlYzI3ZGY1NGU4ZjhjYWRjMTlmNTM5OTZkYzE/20200401/cn-north-1/iam/request, SignedHeaders=content-type;host;x-content-sha256;x-date, Signature=88dd0a9ea555d8609ec83eb46054b52f6cd4f79b8d5094fa784c66fa3f2b9e1d