Help Center/ Enterprise Router/ API Reference (Ankara Region)/ Calling APIs/ Authentication
Updated on 2024-12-18 GMT+08:00
View PDF
Share

Authentication

Requests for calling an API can be authenticated using either of the following methods:
  • Token authentication: Requests are authenticated using tokens.
  • AK/SK authentication: Requests are encrypted using AK/SK pairs. AK/SK authentication is recommended because it is more secure than token authentication.

Token Authentication

The validity period of a token is 24 hours. When using a token for authentication, cache it to avoid frequently calls to the API.

A token specifies temporary permissions in a computer system. During authentication using a token, the token is added to request headers to get permissions for calling the API. You can obtain a token by calling the API for Obtaining User Token.

Enterprise Router is a project-level service. When you call the API, set auth.scope in the request body to project.

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": "username",   // IAM user name
                    "password": "********",  // IAM user password
                    "domain": {
                        "name": "domainname"  // Name of the account that the IAM user belongs to
                    }
                }
            }
        },
        "scope": {
            "project": {
                "name": "xxxxxxxx"    // Project name
            }
        }
    }
}

After a token is obtained, X-Auth-Token must be added to the request header for calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to the request header as follows:

1
2
3
 
POST https://{{endpoint}}/v3/auth/projects
Content-Type: application/json
X-Auth-Token: ABCDEFJ....

AK/SK Authentication

You can use AK/SK encryption to verify the identity of a request sender. If you use the AK/SK for authentication, you must obtain the signature through the request signing process and add the signature to the headers of API requests.

AK: is a unique identifier associated with the SK, which is a unique identifier used together with an SK to sign requests cryptographically.

SK: secret access key, which is used together with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.

The following uses a demo project to show how to sign a request and use an HTTP client to send an HTTPS request.

Download the demo project at https://github.com/api-gate-way/SdkDemo.

If you do not need the demo project, visit the following URL to download the API Gateway signing SDK:

Request an API Gateway signing SDK from the enterprise administrator.

Decompress the downloaded package to obtain a JAR file. Add the extracted JAR file to the project as a dependency package. The following figure displays an example.

Figure 1 Introducing the API Gateway signing SDK
  1. Generate an AK/SK. (If an AK/SK file has already been obtained, skip this step and locate the downloaded AK/SK file. Generally, the file name will be credentials.csv.)

    1. Log in to the management console.
    2. Hover the mouse over the username and select My Credential from the drop-down list.
    1. On the My Credentials page, click the Access Keys tab.
    2. Click Add Access Key.
    3. Enter the login password.
    4. Enter the verification code received by email.
    5. Click OK to download the access key.

      Keep the access key secure.

  2. Download and decompress the demo project.
  3. Import the demo project to Eclipse.

    Figure 2 Selecting Existing Projects into Workspace
    Figure 3 Selecting the demo project
    Figure 4 Structure of the demo project

  4. Sign the request.

    The request signing method is integrated in the JAR files imported in 3. Before you send the request, sign the requested content. The obtained signature will be included in the HTTP header of the request.

    The demo code is classified into the following classes to demonstrate signing and sending the HTTP request:

    • AccessService: An abstract class that merges the GET, POST, PUT, and DELETE methods into the access method.
    • Demo: Execution entry used to simulate the sending of GET, POST, PUT, and DELETE requests.
    • AccessServiceImpl: Implements the access method, which contains the code required for communication with API Gateway.
    1. Edit the main method in the Demo.java file, and replace the bold text with actual values.

      If you use other methods such as POST, PUT, and DELETE, see the corresponding comment.

      Specify region, serviceName, ak/sk, and url as the actual values. In this demo, the URLs for accessing VPC resources are used.

      To obtain the project ID in the URLs, see Obtaining a Project ID.

      To obtain the endpoint, contact the enterprise administrator.

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
      		 
      //TODO: Replace region with the name of the region in which the service to be accessed is located. 
private static final String region = "";

//TODO: Replace vpc with the name of the service you want to access. For example, ecs, vpc, iam, and elb.
private static final String serviceName = "";

public static void main(String[] args) throws UnsupportedEncodingException
{
//TODO: Replace the AK and SK with those obtained on the My Credentials page.
String ak = "ZIRRKMTWP******1WKNKB";
String sk = "Us0mdMNHk******YrRCnW0ecfzl";

//TODO: To specify a project ID (multi-project scenarios), add the X-Project-Id header.
//TODO: To access a global service, such as IAM, DNS, CDN, and TMS, add the X-Domain-Id header to specify an account ID.
//TODO: To add a header, find "Add special headers" in the AccessServiceImple.java file.

//TODO: Test the API
String url = "https://{Endpoint}/v1/{project_id}/vpcs";
get(ak, sk, url);

//TODO: When creating a VPC, replace {project_id} in postUrl with the actual value.
//String postUrl = "https://serviceEndpoint/v1/{project_id}/cloudservers";
//String postbody ="{\"vpc\": {\"name\": \"vpc\",\"cidr\": \"192.168.0.0/16\"}}";
//post(ak, sk, postUrl, postbody);

//TODO: When querying a VPC, replace {project_id} in url with the actual value.
//String url = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}";
//get(ak, sk, url);

//TODO: When updating a VPC, replace {project_id} and {vpc_id} in putUrl with the actual values.
//String putUrl = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}";
//String putbody ="{\"vpc\":{\"name\": \"vpc1\",\"cidr\": \"192.168.0.0/16\"}}";
//put(ak, sk, putUrl, putbody);

//TODO: When deleting a VPC, replace {project_id} and {vpc_id} in deleteUrl with the actual values.
//String deleteUrl = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}";
//delete(ak, sk, deleteUrl);
}
    2. Compile the code and call the API.

      In the Package Explorer area on the left, right-click Demo.java and choose Run AS > Java Application from the shortcut menu to run the demo code.

      You can view API call logs on the console.

Parent topic: Calling APIs