Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Identity/ Temporary Security Credentials/ Overview
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Overview

Temporary Security Credentials

When you use APIs to access Huawei Cloud, you can use Security Token Service (STS) to create temporary security credentials and provide them to trusted users to access your resources in Huawei Cloud. Temporary security credentials work almost the same as permanent credentials, with the following differences:

  • Temporary security credentials are short-term credentials. Their validity period lasts from several minutes to several hours. After the temporary security credentials expire, Huawei Cloud no longer allows any access from API requests signed with them.
  • Temporary security credentials are not stored but dynamically generated. Before temporary security credentials expire, the user can request new credentials as long as the user still has permission to do so.
  • Temporary security credentials include temporary AK/SK and a security token. When you use temporary security credentials for API access, security_token will be passed to the X-Security-Token header and the temporary AK/SK are used to sign requests.

Temporary security credentials have the following advantages than permanent credentials:

  • There is no need to distribute or embed permanent credentials with an application.
  • Temporary security credentials have a limited lifetime, so they are more secure than permanent credentials.

Temporary Security Credentials and Regions

Temporary security credentials are generated by STS. STS is a regional service. You can make STS API calls to endpoints where STS is deployed. You are advised to send requests to a region geographically close to you to reduce latency. No matter which region your temporary security credentials come from, they work in all regions. For details, see Regions and Endpoints.

Iteration of Temporary Security Credentials

Currently, both v3 and v5 APIs are available for creating temporary security credentials. The request paths start with v3.0 (CreateTemporaryAccessKeyByAgency) and v5 (AssumeAgency), respectively. Both APIs create temporary security credentials containing the session token security_token. The security_token generated by the CreateTemporaryAccessKeyByAgency API is IAM security token, and the security_token generated by the AssumeAgency API is STS security token. STS security token is more secure and flexible than IAM security token in permission control. STS security token carries more context information for authentication, including but not limited to the attached identity policy, caller identity information, session policy, and tag. In addition, STS security token uses more secure encryption and decryption policies. Therefore, the following content only describes how to use the AssumeAgency API. For details about the CreateTemporaryAccessKeyByAgency API, see Access Key Management.

Constraints

You can use temporary security credentials to access most of Huawei Cloud services. Some cloud services do not support temporary security credentials generated using AssumeAgency API. For details about the supported services, see section Cloud Services for Using Identity Policies and Trust Agencies in the Identity and Access Management Service User Guide (New Edition). If the cloud service you want to use does not support temporary security credentials generated by the AssumeAgency API, you can use CreateTemporaryAccessKeyByAgency instead.