Why Don't the Signatures Match?
Symptom
The following error is reported during an OBS API call.
Status code: 403 Forbidden
Error code: SignatureDoesNotMatch
Error message: The request signature we calculated does not match the signature you provided. Check your key and signing method.
Possible Causes
The provided signature does not match the signature calculated by the system.
Solution
- Check the endpoint.
Check the endpoint if you are using the OBS SDK.
Ensure that the entered endpoint is correct. If the endpoint is set to a bucket domain name that consists of a bucket name and an endpoint, a signature mismatch error will also be reported.
- Check the AK and SK.
Ensure that the AK and SK you entered are correct, so they can match those used in the request.
- Check HTTP-Verb.
Ensure that the HTTP-Verb in the signature is the same as that in the request.
- Check Date and Expires.
- Signature in a header: Check whether the Date in the signature is the same as that in the request header.
- Signature in a URL: Check whether the Expires in the signature is the same as that in the request URL.
- Check headers.
Check Content-MD5, Content-Type, and Canonicalized Headers. If any of them are contained during signature calculation, they must be also contained in the request.
If a URL with a signature contained is used to access OBS resources through a browser, the header parameters above cannot be contained during signature calculation.
- Check Canonicalized Resource.
Canonicalized Resource indicates the OBS resources that are requested. Configure this parameter based on the requirements in the API reference.
- Check StringToSign.
Check whether StringToSign is constructed based on the following rules:
- Signature in a header:
HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource
- Signature in a URL:
HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expires + "\n" + CanonicalizedHeaders + CanonicalizedResource
If a parameter is left blank, put it in a new line.
- Signature in a header:
- Check the signature calculation.
Check whether the signature is calculated as follows:
- Construct the request string StringToSign.
- Perform UTF-8 encoding on the result in the 1.
- Use the SK to perform the HMAC-SHA1 signature calculation on the result in 2.
- Perform Base64 encoding on the result in 3. If the signature is contained in a header, this step generates the final signature and no further actions are required.
- If the signature is contained in a URL, perform the URL encoding on the result in 4 to obtain the final signature.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot