Using Temporary Security Credentials
You can use temporary security credentials to sign API requests and then programmatically access Huawei Cloud resources. The temporary security credentials provide the same permissions as permanent access keys (for example, IAM user's permanent AK/SK), with the following differences:
- When you make a call using temporary security credentials, the call must include the session token security_token, which is returned with the temporary security credentials. Huawei Cloud uses the session token to validate temporary security credentials.
- Temporary security credentials have validity periods. After they expire, any calls made using them will fail, so you must generate new temporary security credentials.
- When you use temporary security credentials to sign requests, your requested session might include a set of tags. These tags come from session tags that are passed during the AssumeAgency API calling.
You can call the STS API AssumeAgency to obtain temporary security credentials and use them to explicitly call other Huawei Cloud services.
Using Temporary Security Credentials in Huawei Cloud SDKs
To use temporary security credentials in code, you can call the STS API AssumeAgency to extract the generated temporary security credentials which include a temporary AK/SK and the session token security_token. You can then use the generated temporary security credentials to call Huawei Cloud services. The following example code uses temporary security credentials in a Huawei Cloud SDK:
public static void main(String[] args) {
// Configure authentication information.
ICredential auth = new BasicCredentials()
// You can configure authentication information using environment variables.
.withAk(System.getenv("HUAWEICLOUD_SDK_AK"))
.withSk(System.getenv("HUAWEICLOUD_SDK_SK"))
// If ProjectId is not set, the SDK automatically calls the IAM service to query the project ID of the region. If the request is routed through VPC endpoint, you must set this parameter.
.withProjectId("{your projectId string}");
// Create a service client.
StsClient client = StsClient.newBuilder()
.withCredential(auth)
.withRegion(StsRegion.valueOf("{region id string}"))
.build();
// Send the request and obtain a response.
AssumeAgencyReqBody assumeAgencyReqBody = new AssumeAgencyReqBody()
.withAgencyUrn("{your agency urn}")
.withAgencySessionName("{agency session name}");
AssumeAgencyRequest request = new AssumeAgencyRequest().withBody(assumeAgencyReqBody);
try {
AssumeAgencyResponse response = client.assumeAgency(request);
System.out.println(response.toString());
} catch (ConnectionException | RequestTimeoutException e) {
e.printStackTrace();
} catch (ServiceResponseException e) {
e.printStackTrace();
System.out.println(e.getHttpStatusCode());
System.out.println(e.getRequestId());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
You must obtain a new set of temporary security credentials before the original ones expire.
Using Temporary Security Credentials with APIs
To send an HTTPS API request to Huawei Cloud, you also need to call the STS API AssumeAgency to obtain the generated temporary security credentials. You sign a request using temporary security credentials the same way as using a permanent access key. The only difference is that the session token security_token of the temporary security credentials needs to be added to the HTTP header of the API request. The header is X-Security-Token. For more information about how to sign HTTPS API requests, see API Request Signing Guide.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
