Authentication
Requests for calling an API can be authenticated using either of the following methods:
- Access Key ID/Secret Access Key (AK/SK)-based authentication: Requests are encrypted using an AK/SK.
- Token-based authentication: Requests are authenticated using a token.
AK/SK-based Authentication
An AK/SK is used to verify the identity of a request sender. In AK/SK-based authentication, a signature needs to be obtained and then added to the request header.
- AK: a unique access key ID associated with a secret access key. AK is used together with SK to obtain an encrypted signature for a request.
- SK: a secret access key used in conjunction with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.
The following shows how to sign an HTTPS request and use an HTTP client to send the request.
Download the demo project at https://github.com/api-gate-way/SdkDemo.
If you do not need the demo project, visit the following URL to download the API Gateway signing SDK:
Obtain the API Gateway signing SDK from the enterprise administrator.
Decompress the downloaded package to obtain a JAR file. Reference the JAR file to the dependency path, as shown in the following figure.
- Generate an AK/SK. (If an AK/SK file has already been obtained, skip this step and locate the downloaded AK/SK file. Generally, the file name will be credentials.csv.)
- Log in to the management console.
- Click the username and choose My Credentials from the drop-down list.
- In the navigation pane, choose Access Keys.
- Click Create Access Key.
- On the displayed page, enter the login password.
- Enter the verification code received by email or SMS message.
For users created in IAM, if no email address or mobile number is specified during user creation, only the login password needs to be authenticated.
- Click OK to download the access key.
To prevent the access key from being leaked, keep it secure.
- Obtain and decompress the demo code.
- Import the sample project to Eclipse.
Figure 1 Selecting an existing project
Figure 2 Selecting the demo project
Figure 3 Example structure
- Sign the request.
The signature method is integrated into the JAR file imported in step 3. Sign a request before sending it. The signature will be added as part of the HTTP header of the request.
The demo code is classified into three parts:
- AccessService: an abstract class that merges the GET, POST, PUT, and DELETE methods into the access method
- Demo: an execution entry used to simulate the sending of GET, POST, PUT, and DELETE requests
- AccessServiceImpl: implements the access method, which contains the code required for communicating with API Gateway.
- (Optional) Add request header fields.
Locate the following rows in the AccessServiceImpl.java file, cancel code line shielding, and replace the subproject ID and account ID with the actual ones.
//TODO: Add special headers.//request.addHeader("X-Project-Id", "xxxxx");//request.addHeader("X-Domain-Id", "xxxxx"); - Edit the main method in the Demo.java file.
Replace the bold texts with actual values. If you use other methods, such as POST, PUT, and DELETE, see the corresponding annotations.
Replace region, serviceName, AK/SK, and URL. In the demo project, the URL for obtaining the VPC is used. Replace it with the required URL. For project_id in the URL, obtain it from Obtaining an Account ID, Project ID, and Enterprise Project ID. For the endpoint, obtain it from the enterprise administrator.
//TODO: Replace region with the name of the region in which the service to be accessed is located. private static final String region = "";//
TODO: Replace vpc with the name of the service you want to access. For example, ECS, VPC, IAM, and ELB. private static final String serviceName = "";
public static void main(String[] args) throws UnsupportedEncodingException{//
TODO: Replace the AK and SK with those obtained on the My Credential page.String ak = "
ZIRRKMTWP******1WKNKB";String sk = "
Us0mdMNHk******YrRCnW0ecfzl";//
TODO: To specify a project ID (multi-project scenarios), add the X-Project-Id header.//
TODO: To access a global service, such as IAM, DNS, CDN, and TMS, add the X-Domain-Id header to specify an account ID.//
TODO: To add a header, find "Add special headers" in the AccessServiceImple.java file.//
TODO: Test the APIString url = "
https://{Endpoint}/v1/{project_id}/vpcs"; get(ak, sk, url);//
TODO: When creating a VPC, replace {project_id} in postUrl with the actual value.//String postUrl = "https://serviceEndpoint/v1/{project_id}/cloudservers";//String postbody ="{\"vpc\": {\"name\": \"vpc\",\"cidr\": \"192.168.0.0/16\"}}";//post(ak, sk, postUrl, postbody);
//
TODO: When querying a VPC, replace {project_id} in url with the actual value.//String url = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}";//get(ak, sk, url);
//
TODO: When updating a VPC, replace {project_id} and {vpc_id} in putUrl with the actual values.//String putUrl = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}";//String putbody ="{\"vpc\":{\"name\": \"vpc1\",\"cidr\": \"192.168.0.0/16\"}}";//put(ak, sk, putUrl, putbody);
//
TODO: When deleting a VPC, replace {project_id} and {vpc_id} in deleteUrl with the actual values.//String deleteUrl = "https://serviceEndpoint/v1/{project_id}/vpcs/{vpc_id}";//delete(ak, sk, deleteUrl);
}
- Compile and run the code to call an API.
In the Package Explorer area on the left, right-click Demo.java, choose Run AS > Java Application from the shortcut menu, and click Run.
You can view the API calling logs on the console.
Token-based Authentication
- The validity period of a token is 24 hours. If a token is used for authentication, cache it to prevent frequent API calling.
- Ensure that the token is valid when you use it. Using a token that will soon expire may cause API calling failures.
A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to requests to get permissions for calling the API.
The token can be obtained by calling the API for obtaining a user token. Project-level tokens are required for calling APIs of this service. That is, when calling the API for obtaining a user token, specify a project under auth.scope in the request body.
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"name": "username",
"password": "********",
"domain": {
"name": "domainname"
}
}
}
},
"scope": {
"project": {
"name": "xxxxxxxx"
}
}
}
}
After a token is obtained, the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFG..., X-Auth-Token: ABCDEFG... can be added to a request as follows:
GET https://Endpoint/v3/auth/projects Content-Type: application/json X-Auth-Token: ABCDEFG...
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
