Updated on 2024-01-10 GMT+08:00

Authentication

Requests for calling an API can be authenticated using either of the following methods:

  • Token-based authentication: Requests are authenticated using a token.
  • Access Key ID/Secret Access Key (AK/SK)-based authentication: Requests are authenticated by encrypting the request body using an AK/SK.

Token Authentication

The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the IAM API for obtaining a user token.

A token specifies temporary permissions in a computer system. Authentication using a token adds the token in a request as its header during API calling to obtain permissions to operate APIs. The token can be obtained by calling the API used to obtain a user token.

A cloud service can be deployed as either a project-level service or global service.

  • For a project-level service, obtain a project-level token. When you call the API, set auth.scope in the request body to project.
  • For a global service, obtain a global token. When you call the API, set auth.scope in the request body to domain.

When calling an API to obtain a user token, you must set auth.scope in the request body to project.

{ 
    "auth": { 
        "identity": { 
            "methods": [ 
                "password" 
            ], 
            "password": { 
                "user": { 
                    "name": "username", 
                    "password": "********", 
                    "domain": { 
                        "name": "domainname" 
                    } 
                } 
            } 
        }, 
        "scope": { 
            "project": { 
                "name": "xxxxxxxx" 
            } 
        } 
    } 
}

After obtaining the token, add the X-Auth-Token header in a request to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request header as follows:

GET https://iam.ap-southeast-1.myhuaweicloud.com/v3/auth/projects 
Content-Type: application/json 
X-Auth-Token: ABCDEFJ....

AK/SK Authentication

AK/SK authentication supports API requests with a body no larger than 12 MB. For API requests with a larger body, use token authentication.

In AK/SK-based authentication, the AK/SK is used to sign requests and the signature is then added to the requests for authentication.

  • AK: access key ID. It is a unique ID associated with an SK. AK is used together with SK to sign requests.
  • SK: secret access key. It is used together with an access key ID to identify a sender who initiates a request and to cryptographically sign requests, preventing the request from being modified.

In AK/SK-based authentication, you can use an AK/SK to sign requests based on the signature algorithm or use the signing SDK to sign requests. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.