Obtaining the Agency Credential for a Pod Identity Association
Function
This API is used to obtain the IAM agency credential for a pod identity association associated with a service account through the service account token.
Calling Method
For details, see Calling APIs.
Authorization Information
Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
- If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
- If you are using identity policy-based authorization, the following identity policy-based permissions are required.
Action
Access Level
Resource Type (*: required)
Condition Key
Alias
Dependencies
cce::assumeAgencyForPodIdentity
Write
-
-
-
-
URI
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/assume-agency-for-pod-identity
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| project_id | Yes | String | Details: Project ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI. Constraints: None Options: Project IDs of the account Default value: N/A |
| cluster_id | Yes | String | Details: Cluster ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI. Constraints: None Options: Cluster IDs Default value: N/A |
Request Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Content-Type | Yes | String | Definition Type (or format) of the request body. The default value is application/json. Other values of this field will be provided for specific APIs, if any. Constraints GET requests are not validated. Default Value N/A |
| X-Auth-Token | Yes | String | Details: Requests for calling an API can be authenticated using either a token or AK/SK. If token-based authentication is used, this parameter is mandatory and must be set to a user token. For details, see Obtaining a User Token. Constraints: None Options: N/A Default value: N/A |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| token | Yes | String | Definition Service account token associated with a pod identity association Constraints N/A Range N/A Default Value N/A |
Response Parameters
Status code: 200
| Parameter | Type | Description |
|---|---|---|
| assumedAgency | AssumedAgency object | Definition Metadata of the agency corresponding to the credential. This attribute is returned only when a trust agency is configured for the pod identity association. Constraints N/A Range N/A Default Value N/A |
| audience | String | Definition The audience attribute passed when the credential is issued. If the credential is obtained using the pod identity association, the value is fixed at service.cce.pods. This attribute is returned only when a trust agency is configured for the pod identity association. Constraints N/A Range N/A Default Value N/A |
| credentials | Credentials object | Definition Credential details Constraints N/A Range N/A Default Value N/A |
| podIdentityAssociationId | String | Definition ID of the pod identity association that the agency credential belongs to Constraints N/A Range N/A Default Value N/A |
| subject | PodIdentitySubject object | Definition Service account information of an agency credential Constraints N/A Range N/A Default Value N/A |
| Parameter | Type | Description |
|---|---|---|
| urn | String | Definition Unique ID of an agency, in the format of sts::{account_id}::assumed-agency:{agency_name}/{agency_session_name} Constraints N/A Range N/A Default Value N/A |
| id | String | Definition Agency ID, in the format of {agency_id}:{agency_session_name} Constraints N/A Range N/A Default Value N/A |
| Parameter | Type | Description |
|---|---|---|
| accessKeyId | String | Definition AK of a temporary security credential Constraints N/A Range N/A Default Value N/A |
| secretAccessKey | String | Definition SK of a temporary security credential Constraints N/A Range N/A Default Value N/A |
| securityToken | String | Definition security_token of a temporary security credential Constraints N/A Range N/A Default Value N/A |
| expiration | String | Definition Expiration time of a temporary security credential Constraints N/A Range N/A Default Value N/A |
Example Requests
Obtain the agency credential for a pod identity association.
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/assume-agency-for-pod-identity
{
"token" : "hQpjbi1XXXXXX...XXXXXKbhBbA0TQ=="
} Example Responses
Status code: 200
The agency credential for the pod identity association has been obtained.
{
"assumedAgency" : {
"urn" : "sts::27680d67da6b47eb82d00a1a1xxxxxx5::assumed-agency:example-agency/cce-{cluster_id}-{pod_id}-{random_UUID}",
"id" : "011e7f329d2241e981a3d63bexxxxxx5:cce-{cluster_id}-{pod_id}-{random_UUID}"
},
"audience" : "service.cce.pods",
"credentials" : {
"accessKeyId" : "HSTANO...XBS55JLJ3",
"secretAccessKey" : "EoWCQrr...SCcw4Whkt2aXKWAr",
"securityToken" : "hQpjbi1XXXXXX...XXXXXKbhBbA0TQ==",
"expiration" : "2022-09-07T03:27:51.158Z"
},
"podIdentityAssociationId" : "402358e8-2e3a-4531-bae7-fe9cbxxxxxx1",
"subject" : {
"namespace" : "example-namespace",
"serviceAccount" : "example-serviceaccount"
}
} Status Codes
| Status Code | Description |
|---|---|
| 200 | The agency credential for the pod identity association has been obtained. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
