Help Center> Object Storage Service> FAQs> APIs and SDKs> Why Don't the Signatures Match?

Updated on 2023-03-08 GMT+08:00

View PDF

Why Don't the Signatures Match?

Symptom

The following error is reported during an OBS API call.

Status code: 403 Forbidden

Error code: SignatureDoesNotMatch

Error message: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Possible Causes

The provided signature does not match the signature calculated by the system.

Solution

Check the endpoint.
Check the endpoint if you are using the OBS SDK.

The correct endpoint format is obs.regionID.myhuaweicloud.com. If the endpoint is set to a bucket domain name (bucketname.obs.regionID.myhuaweicloud.com), a signature mismatch error will also be reported.
Check the AK and SK.
Ensure that the AK and SK you entered are correct, so they can match those used in the request.
Check HTTP-Verb.
Ensure that the HTTP-Verb in the signature is the same as that in the request.
Check Date and Expires.
- Signature in a header: Check whether the Date in the signature is the same as that in the request header.
- Signature in a URL: Check whether the Expires in the signature is the same as that in the request URL.
  
  If the URL signature generator is used, the Expires is set to a value in seconds, for example, 3600 for one hour. The value of Expires in the generated URL is the last point in time of the validity period.
Check headers.
Check Content-MD5, Content-Type, and Canonicalized Headers. If any of them are contained during signature calculation, they must be also contained in the request.

If a URL with a signature contained is used to access OBS resources through a browser, the header parameters above cannot be contained during signature calculation.
Check Canonicalized Resource.
Canonicalized Resource indicates the OBS resources that are requested. Configure this parameter based on the requirements in the API reference. For details, see Authentication of Signature in a Header or Authentication of Signature in a URL.

Check StringToSign.

Check whether StringToSign is constructed based on the following rules:

Signature in a header:

HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource

Signature in a URL:

HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expires + "\n" + CanonicalizedHeaders + CanonicalizedResource

If a parameter is left blank, put it in a new line.

Check the signature calculation.
Check whether the signature is calculated as follows:
1. Construct the request string StringToSign.
2. Perform UTF-8 encoding on the result in the 1.
3. Use the SK to perform the HMAC-SHA1 signature calculation on the result in 2.
4. Perform Base64 encoding on the result in 3. If the signature is contained in a header, this step generates the final signature and no further actions are required.
5. If the signature is contained in a URL, perform the URL encoding on the result in 4 to obtain the final signature.
Verify the signature by referring to User Signature Authentication.

Parent topic: APIs and SDKs

APIs and SDKs FAQs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot

more