Updated on 2024-02-29 GMT+08:00

Authentication

Requests for calling an API can be authenticated using either of the following methods:

  • Token-based authentication: Requests are authenticated using a token.
  • AK/SK-based authentication: Requests are encrypted using an AK/SK.

Token-based Authentication

The validity period of a token is 24 hours. When using a token for authentication, you may cache it so there is no need to call the IAM API frequently.

A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to a request to get permissions for calling the API.

When calling the API to obtain a user token, you must set auth.scope in the request body to project. The following is a request example:

{
  "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "username", //Replace it with the actual username.
          "password": "**********",//Replace it with the actual password.
          "domain": {
            "name": "domianname"  //Replace it with the actual account name.
          }
        }
      }
    },
    "scope": {
      "project": {
        "name": "cn-north-1"  //Replace it with the actual project name to obtain the token of the specified project.
      }
    }
  }
}

After obtaining the token, add the X-Auth-Token header in a request to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., add X-Auth-Token: ABCDEFJ.... in a request as follows:

GET https://iam.cn-north-1.myhuaweicloud.com/v3/auth/projects
Content-Type: application/json
X-Auth-Token: ABCDEFJ....

AK/SK-based Authentication

AK/SK-based authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token-based authentication is recommended.

In AK/SK-based authentication, the AK/SK is used to sign requests and the signature is then added to the requests for authentication.

  • AK: access key ID, which is a unique identifier used in conjunction with a secret access key to sign requests cryptographically.
  • SK: secret access key used in conjunction with an AK to sign requests cryptographically. It identifies a request sender and prevents the request from being modified.
In AK/SK-based authentication, you can use the AK/SK to sign requests based on the signature algorithm or use a dedicated signing SDK to sign requests. For details about how to sign requests and use the signing SDK, see AK/SK Signing and Authentication Guide.

The signing SDK is only used for signing requests and is different from the SDKs provided by services.