Help Center/ Object Storage Service/ FAQs/ APIs and SDKs/ Why Don't the Signatures Match?
Updated on 2024-10-28 GMT+08:00

Why Don't the Signatures Match?

Symptom

The following error is reported during an OBS API call.

Status code: 403 Forbidden

Error code: SignatureDoesNotMatch

Error message: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Possible Causes

The provided signature does not match the signature calculated by the system.

Solution

  1. Check the endpoint.

    Check the endpoint if you are using the OBS SDK.

    The correct endpoint format is obs.regionID.myhuaweicloud.com. If the endpoint is set to a bucket domain name (bucketname.obs.regionID.myhuaweicloud.com), a signature mismatch error will also be reported.

  2. Check the AK and SK.

    Ensure that the AK and SK you entered are correct, so they can match those used in the request.

  3. Check HTTP-Verb.

    Ensure that the HTTP-Verb in the signature is the same as that in the request.

  4. Check Date and Expires.

    • Signature in a header: Check whether the Date in the signature is the same as that in the request header.
    • Signature in a URL: Check whether the Expires in the signature is the same as that in the request URL.

      If the URL signature generator is used, the Expires is set to a value in seconds, for example, 3600 for one hour. The value of Expires in the generated URL is the last point in time of the validity period.

  5. Check headers.

    Check Content-MD5, Content-Type, and Canonicalized Headers. If any of them are contained during signature calculation, they must be also contained in the request.

    If a URL with a signature contained is used to access OBS resources through a browser, the header parameters above cannot be contained during signature calculation.

  6. Check Canonicalized Resource.

    Canonicalized Resource indicates the OBS resources that are requested. Configure this parameter based on the requirements in the API reference. For details, see Authentication of Signature in a Header or Authentication of Signature in a URL.

  7. Check StringToSign.

    Check whether StringToSign is constructed based on the following rules:

    • Signature in a header:
      HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource
    • Signature in a URL:
      HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expires + "\n" + CanonicalizedHeaders + CanonicalizedResource

    If a parameter is left blank, put it in a new line.

  8. Check the signature calculation.

    Check whether the signature is calculated as follows:

    1. Construct the request string StringToSign.
    2. Perform UTF-8 encoding on the result in the 1.
    3. Use the SK to perform the HMAC-SHA1 signature calculation on the result in 2.
    4. Perform Base64 encoding on the result in 3. If the signature is contained in a header, this step generates the final signature and no further actions are required.
    5. If the signature is contained in a URL, perform the URL encoding on the result in 4 to obtain the final signature.

  9. Verify the signature by referring to User Signature Verification.