All Documents
Identity and Access ManagementIdentity and Access Management
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to HUAWEI CLOUD
- IAM Users
- User Groups and Authorization
- Permissions
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Change History
- Best Practices
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
- Access Key Management
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups to Which an IAM User Belongs
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (Recommended)
- Modifying IAM User Information (Recommended)
- Modifying User Information
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions of a User Group for the Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for the Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for the Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for the Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for the Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for the Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for the Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for the Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting a User Permissions for an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Querying MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Querying Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Authentication?
- How Do I Disable Login Authentication?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
- Passwords and Credentials
- Project Management
- Agency Management
- Account Management
- Others
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
- User Guide
-
FAQs
- How Do I Enable the Login Authentication Function?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain MFA Verification Codes?
- How Do I Unbind a Virtual MFA Device?
- How Do I Control IAM User Access to the Console?
- What Can I Do If I Cannot Receive the Verification Code?
- What Are the Differences Between IAM Projects and Enterprise Projects?
- What Can I Do If Text Box Prompt Information Does Not Disappear?
- How Do I Disable Password Autofilling and Saving on Google Chrome?
- How Do I Grant Cloud Service Permissions in the ME-Abu Dhabi-OP5 Region to IAM Users?
- How Do I Obtain an Access Key (AK/SK) in the ME-Abu Dhabi-OP5 Region?
- Change History
-
API Reference (ME-Abu Dhabi Region)
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Token Management
- Access Key Management
- Region Management
-
Project Management
- Querying Project Information Based on the Specified Criteria
- Querying a User Project List
- Querying the List of Projects Accessible to Users
- Creating a Project
- Modifying Project Data
- Querying Information About a Specified Project
- Setting the Status of a Specified Project
- Querying Information and Status of a Specified Project
- Tenant Management
-
User Management
- Querying a User List
- Querying User Details
- Querying User Details (Including Email Address and Mobile Number)
- Querying the User Group to Which a User Belongs
- Querying Users in a User Group
- Creating a User
- Changing a Password
- Modifying User Information
- Modifying User Information (Including Email Address and Mobile Number)
- Modifying User Information (Including Email Address and Mobile Number)
- Deleting a User
- Deleting a User from a User Group
- User Group Management
-
Permission Management
- Querying a Role List
- Querying Role Details
- Querying Permissions of a User Group Under a Domain
- Querying Permissions of a User Group Corresponding to a Project
- Granting Permissions to a User Group of a Domain
- Granting Permissions to a User Group Corresponding to a Project
- Deleting Permissions of a User Group Corresponding to a Project
- Deleting Permissions of a User Group of a Domain
- Querying Whether a User Group Under a Domain Has Specific Permissions
- Querying Whether a User Group Corresponding to a Project Has Specific Permissions
- Custom Policy Management
-
Agency Management
- Creating an Agency
- Querying an Agency List Based on the Specified Conditions
- Obtaining Details of a Specified Agency
- Modifying an Agency
- Deleting an Agency
- Granting Permissions to an Agency for a Project
- Checking Whether an Agency Has the Specified Permissions on a Project
- Querying the List of Permissions of an Agency on a Project
- Deleting Permissions of an Agency on a Project
- Granting Permissions to an Agency on a Domain
- Checking Whether an Agency Has the Specified Permissions on a Domain
- Querying the List of Permissions of an Agency on a Domain
- Deleting Permissions of an Agency on a Domain
- Federated Identity Authentication Management
- Version Information Management
- Services and Endpoints
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
User Guide (Paris and Amsterdam Regions)
- Service Overview
- Getting Started
-
User Guide
- Auditing
- User and User Group Management
- Fine-Grained Policy Management
- Account Settings
- Agency Management
- Federated Identity Authentication
- MFA Authentication and Virtual MFA Device
-
FAQs
- How Do I Enable Login Authentication?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain MFA Verification Codes?
- How Do I Unbind a Virtual MFA Device?
- How Do I Grant Cloud Service Permissions in the EU-Paris or EU-Amsterdam Region to IAM Users?
- How Do I Obtain an Access Key (AK/SK) in the EU-Paris or EU-Amsterdam Region?
- Change History
-
API Reference (Paris and Amsterdam Regions)
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Token Management
- Access Key Management
- Region Management
-
Project Management
- Querying Project Information Based on the Specified Criteria
- Querying a User Project List
- Creating a Project
- Modifying Project Data
- Querying Information About a Specified Project
- Setting the Status of a Specified Project
- Querying Information and Status of a Specified Project
- Querying the Quotas of a Project
- Tenant Management
-
User Management
- Querying a User List
- Querying User Details
- Querying User Details (Recommended)
- Querying the User Group to Which a User Belongs
- Querying Users in a User Group
- Changing a Password
- Deleting a User from a User Group
- Querying MFA Device Information of Users
- Querying the MFA Device Information of a User
- Querying Login Protection Configurations of Users
- Querying the Login Protection Configuration of a User
- User Group Management
-
Permission Management
- Querying a Role List
- Querying Role Details
- Querying Permissions of a User Group Under a Domain
- Querying Permissions of a User Group Corresponding to a Project
- Granting Permissions to a User Group of a Domain
- Granting Permissions to a User Group Corresponding to a Project
- Deleting Permissions of a User Group Corresponding to a Project
- Deleting Permissions of a User Group of a Domain
- Querying Whether a User Group Under a Domain Has Specific Permissions
- Querying Whether a User Group Corresponding to a Project Has Specific Permissions
- Removing Specified Permissions of a User Group in All Projects
- Checking Whether a User Group Has Specified Permissions for All Projects
- Querying All Permissions of a User Group
- Custom Policy Management
-
Agency Management
- Creating an Agency
- Querying an Agency List Based on the Specified Conditions
- Obtaining Details of a Specified Agency
- Modifying an Agency
- Deleting an Agency
- Granting Permissions to an Agency for a Project
- Checking Whether an Agency Has the Specified Permissions on a Project
- Querying the List of Permissions of an Agency on a Project
- Deleting Permissions of an Agency on a Project
- Granting Permissions to an Agency on a Domain
- Checking Whether an Agency Has the Specified Permissions on a Domain
- Querying the List of Permissions of an Agency on a Domain
- Deleting Permissions of an Agency on a Domain
- Security Settings
- Federated Identity Authentication Management
- Version Information Management
- Services and Endpoints
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
User Guide (ME-Abu Dhabi Region)
- Glossary
Help Center>
Identity and Access Management>
API Reference>
API>
Access Key Management>
Obtaining a Temporary Access Key and SecurityToken Through a Token
Updated at: Feb 22, 2022 GMT+08:00
Obtaining a Temporary Access Key and SecurityToken Through a Token
Function
This API is used to obtain a temporary access key and securityToken using a token. For details about how to obtain a token, see Obtaining a User Token Through Password Authentication.
A temporary access key and securityToken are issued by the system to IAM users, and can be valid for 15 minutes to 24 hours. The temporary access key and securityToken follow the principle of least privilege. A temporary access key must be used together with a securityToken, and the x-security-token field must be included in the request header. For more information, see How Do I Use a Temporary AK/SK to Sign Requests?
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
URI
POST /v3.0/OS-CREDENTIAL/securitytokens
Request Parameters
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
Content-Type |
Yes |
String |
Fill application/json;charset=utf8 in this field. |
X-Auth-Token |
Yes |
String |
IAM user token, federated user token, or agency token. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
Yes |
Object |
Authentication information. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
methods |
Yes |
Array of strings |
Authentication method. The value of this field is ["token"]. |
No |
Object |
Validity period of a temporary access key and SecurityToken. |
|
No |
Object |
OBS permissions to be assigned to the temporary access key and securityToken. The final permissions of the temporary access key and securityToken are all the permissions assigned to the specified user token and defined in this parameter. For details about the syntax and format of IAM policies, see Policies. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
Version |
Yes |
String |
Policy version. When creating a custom policy, set this parameter to 1.1. NOTE:
1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions. |
Yes |
Array of objects |
Statement of the policy. A policy can contain a maximum of eight statements. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
Action |
Yes |
Array of strings |
Specific operation permission on a resource. A maximum of 100 actions are allowed. NOTE:
|
Effect |
Yes |
String |
Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
Condition |
No |
Map<String,Map<String,Array<String>>> |
Conditions for the permission to take effect. A maximum of 10 conditions are allowed. For details about the condition parameters, see Creating a Custom Policy. NOTE:
Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals). "Condition": {
"StringEquals": {
"obs:prefix": [
"public"
]
}
}
|
Resource |
No |
Array of strings |
Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters. NOTE:
|
Response Parameters
Parameter |
Type |
Description |
|---|---|---|
Object |
Authentication result. |
Parameter |
Type |
Description |
|---|---|---|
expires_at |
String |
Expiration time of the access key and securityToken. The response is UTC time, which is 8 hours behind Beijing time. For example: "expires_at": "2020-01-08T02:56:19.587000Z" Beijing time: 2020-01-08 10:56:19.587 |
access |
String |
AK. |
secret |
String |
SK. |
securitytoken |
String |
Obtained access key in ciphertext. |
Example Request
- Request with the token parameter
POST https://iam.myhuaweicloud.com/v3.0/OS-CREDENTIAL/securitytokens
{ "auth": { "identity": { "methods": [ "token" ], "token": { "duration_seconds": 900 } } } } - Request with the X-Auth-Token header but without the token parameter
POST https://iam.myhuaweicloud.com/v3.0/OS-CREDENTIAL/securitytokens
{ "auth": { "identity": { "methods": [ "token" ] } } } - Request with the policy parameter
POST https://iam.myhuaweicloud.com/v3.0/OS-CREDENTIAL/securitytokens
{ "auth": { "identity": { "methods": [ "token" ], "policy": { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:*" ], "Condition": { "StringEquals": { "obs:prefix": [ "public" ] } } } ] }, "token": { "duration_seconds": 900 } } } }
Example Response
Status code: 201
The request is successful.
{
"credential": {
"access": "NZFAT5VNWEJDGZ4PZ...",
"expires_at": "2020-01-08T03:50:07.574000Z",
"secret": "riEoWsy3qO0BvgwfkoLVgCUvzgpjBBcvdq...",
"securitytoken": "gQpjbi1ub3J0aC00jD4Ej..."
}
}
Status Codes
Status Code |
Description |
|---|---|
201 |
The request is successful. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
500 |
Internal server error. |
Error Codes
None
Parent topic: Access Key Management
