Authentication

You can use either of the following authentication methods when calling APIs:

Authentication using tokens: General requests are authenticated using tokens.
To call the Silvan interface of an API gateway, use token authentication. The token whose roles is op_service must be used. The administrator account of each service has the op_service permission.
Authentication using the AK/SK: Requests are encrypted using the access key ID (AK)/secret access key (SK).
To use an API gateway to send requests to underlying services, sign the requests using the AK and SK.

Token Authentication

The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the IAM API.

A token specifies certain permissions in a computer system. Authentication using a token adds the token to a request as its header during API calling to obtain permissions to operate APIs through IAM.

When calling the API to obtain a user token, you must set auth.scope in the request body to project.

For details about how to obtain username and domainname , see Obtaining the Account Name and Account ID. password indicates the user password.

{ 
    "auth": { 
        "identity": { 
            "methods": [ 
                "password" 
            ], 
            "password": { 
                "user": { 
                    "name": "username", 
                    "password": "********", 
                    "domain": { 
                        "name": "domainname" 
                    } 
                } 
            } 
        }, 
        "scope": { 
            "project": { 
                "name": "xxxxxxxx" 
            } 
        } 
    } 
}

To call the Silvan interface of an API gateway, you must obtain the user's token and add X-Auth-Token to the request header of a service API.

After obtaining the token, add the X-Auth-Token header to a request to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., add X-Auth-Token: ABCDEFJ.... to a request as follows:

GET https://iam.ap-southeast-1.myhuaweicloud.com/v3/auth/projects
Content-Type: application/json 
X-Auth-Token: ABCDEFJ....

Procedure

This section describes how to perform token authentication for API calling.

Send POST https://IAM endpoint/v3/auth/tokens to obtain the endpoint of the Identity and Access Management (IAM) service and the region name in the message body.For details, see Regions and Endpoints.

A sample request is as follows:

{
  "auth": {
    "identity": {
      "methods": [
        "password"
      ],
      "password": {
        "user": {
          "name": "username",  //Username
          "password": "password",  //Password
          "domain": {
            "name": "domainname"  //Account name
          }
        }
      }
    },
    "scope": {
      "project": {
        "name": "ap-southeast-1"  //Region of Image Search
      }
    }
  }
}

Replace the items in italic in the preceding code snippet with actual ones. For details, see the Identity and Access Management API Reference.

Obtain the token. For details about how to obtain the token, see Obtaining a User Token in the Identity and Access Management API Reference. The token value is the X-Subject-Token value in the response header.
To call a service API, add the X-Auth-Token header to the request and set its value to the token obtained in Step 2.

AK/SK Authentication

Authentication using the AK/SK supports API requests with a body not larger than 12 MB. For API requests with a larger body, authentication using tokens is recommended.

When the API gateway sends a request to the underlying service, the AK/SK must be used to sign the request. For details, see the API Request Signing Guide.

In authentication using the AK/SK, the AK/SK is used to sign a request and add the signature to a request as its header for authentication.

AK: indicates the ID of the access key. It is the unique identifier associated with the SK. The AK and SK are used together to sign requests cryptographically.
SK: indicates the secret access key used together with the AK to sign requests cryptographically. AK and SK can be used together to identify a request sender to prevent the request from being modified.

In authentication using the AK/SK, you can use the AK/SK to sign requests based on the signature algorithm or use a dedicated signature SDK to sign the requests. For details about how to sign requests and use the signature SDK, see the API Request Signing Guide.

The signature SDK supports only signature, which is different from the SDKs provided by services.

When the AK/SK of a user under a domain is used, add X-Domain-Id to the header and set it to the user's domain ID.

Obtaining AK/SK

Register with HUAWEI CLOUD and log in to the Image Search management console.
Hover the cursor on the username in the upper right corner and select My Credentials from the drop-down list. On the My Credentials page, click the Access Keys tab.
Click Add Access Key. The Add Access Key dialog box is displayed.
Enter the login password of the current user and the verification code received in the email or on the mobile phone. Click OK to download the access key.
- For users created in IAM, if no email address or mobile phone number is specified during user creation, you only need to enter the login password for verification.
- To prevent the access key from being leaked, keep it secure.