Obtaining a Temporary Access Key and SecurityToken Through a Token
Function
This API is used to obtain a temporary access key and securityToken using a token. For details about how to obtain a token, see Obtaining a User Token Through Password Authentication.
A temporary access key and securityToken are issued by the system to IAM users, and can be valid for 15 minutes to 24 hours. The temporary access key and securityToken follow the principle of least privilege. A temporary access key must be used together with a securityToken, and the x-security-token field must be included in the request header. For more information, see How Do I Use a Temporary AK/SK to Sign Requests?
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
URI
POST /v3.0/OS-CREDENTIAL/securitytokens
Request Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Content-Type | Yes | String | Fill application/json;charset=utf8 in this field. |
| X-Auth-Token | Yes | String | IAM user token, federated user token, or agency token. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Yes | Object | Authentication information. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| methods | Yes | Array of strings | Authentication method. The value of this field is ["token"]. |
| No | Object | IAM user token, federated user token, or agency token. Either the id parameter of this object or X-Auth-Token in the request header must be specified. If both of them are specified, X-Auth-Token takes precedence. | |
| No | Object | OBS permissions to be assigned to the temporary access key and securityToken. The final permissions of the temporary access key and securityToken are all the permissions assigned to the specified user token and defined in this parameter. For details about the syntax and format of IAM policies, see Policies. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Version | Yes | String | Policy version. When creating a custom policy, set this parameter to 1.1. NOTE: 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions. |
| Yes | Array of objects | Statement of the policy. A policy can contain a maximum of eight statements. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Action | Yes | Array of strings | Specific operation permission on a resource. A maximum of 100 actions are allowed. NOTE:
|
| Effect | Yes | String | Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
| Condition | No | Map<String,Map<String,Array<String>>> | Conditions for the permission to take effect. A maximum of 10 conditions are allowed. For details about the condition parameters, see Creating a Custom Policy. NOTE: Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals). "Condition": {
"StringEquals": {
"obs:prefix": [
"public"
]
}
} |
| Resource | No | Array of strings | Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters. NOTE:
|
Response Parameters
| Parameter | Type | Description |
|---|---|---|
| Object | Authentication result. |
| Parameter | Type | Description |
|---|---|---|
| expires_at | String | Expiration time of the access key and securityToken. The response is UTC time, which is 8 hours behind Beijing time. For example: "expires_at": "2020-01-08T02:56:19.587000Z" Beijing time: 2020-01-08 10:56:19.587 |
| access | String | AK. |
| secret | String | SK. |
| securitytoken | String | Obtained access key in ciphertext. |
Example Request
- Request with the token parameter
POST https://iam.myhuaweicloud.com/v3.0/OS-CREDENTIAL/securitytokens
{ "auth": { "identity": { "methods": [ "token" ], "token": { "duration_seconds": 900 } } } } - Request with the X-Auth-Token header but without the token parameter
POST https://iam.myhuaweicloud.com/v3.0/OS-CREDENTIAL/securitytokens
{ "auth": { "identity": { "methods": [ "token" ] } } } - Request with the policy parameter
POST https://iam.myhuaweicloud.com/v3.0/OS-CREDENTIAL/securitytokens
{ "auth": { "identity": { "methods": [ "token" ], "policy": { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:*" ], "Condition": { "StringEquals": { "obs:prefix": [ "public" ] } } } ] }, "token": { "id": "MIIamwYJKoZIhvcNAQcCoIIajDCC...", "duration_seconds": 900 } } } }
Example Response
Status code: 201
The request is successful.
{
"credential": {
"access": "NZFAT5VNWEJDGZ4PZ...",
"expires_at": "2020-01-08T03:50:07.574000Z",
"secret": "riEoWsy3qO0BvgwfkoLVgCUvzgpjBBcvdq...",
"securitytoken": "gQpjbi1ub3J0aC00jD4Ej..."
}
} Status Codes
| Status Code | Description |
|---|---|
| 201 | The request is successful. |
| 400 | Invalid parameters. |
| 401 | Authentication failed. |
| 403 | Access denied. |
| 500 | Internal server error. |
Error Codes
None
Last Article: Obtaining a Temporary Access Key and SecurityToken Through an Agency
Next Article: Creating a Permanent Access Key
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.