Obtaining an Agency Token
Function
This API is used to obtain an agency token.
For example, after a trust relationship is established between A and B, A is the delegating party and B is the delegated party. Then B can use this API to obtain an agency token. The obtained agency token can only be used to manage the resources that account B is delegated to manage. If account B needs to manage their own resources, account B needs to obtain a user token. For details, see Delegating Resource Access to Another Account.
A token is an access credential issued to a user to bear its identity and permissions. When calling the APIs of IAM or other cloud services, you can use this API to obtain a token for authentication.
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
- The validity period of a token is 24 hours. Cache the token to prevent frequent API calling.
- Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures.
Debugging
You can debug this API in API Explorer.
URI
POST /v3/auth/tokens
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
nocatalog |
No |
String |
If this parameter is set, no catalog information will be displayed in the response. Any character string set for this parameter indicates that no catalog information will be displayed. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
Content-Type |
Yes |
String |
Fill application/json;charset=utf8 in this field. |
|
X-Auth-Token |
Yes |
String |
Token with Agent Operator permissions of an IAM user created by delegated party B. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
Yes |
Object |
Authentication information. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
Yes |
Object |
Authentication parameters. |
|
|
Yes |
Object |
Usage scope of the token. The value can be project or domain.
NOTE:
|
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
methods |
Yes |
Array of strings |
Method for obtaining the token. Set this parameter to assume_role. |
|
Yes |
Object |
Details about the delegating account and agency. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
domain_id |
No |
String |
Account ID of delegating party A. Either domain_id or domain_name must be set. You are advised to specify domain_id. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
domain_name |
No |
String |
Account name of delegating party A. Either domain_id or domain_name must be set. You are advised to specify domain_id. You can view the account name of delegating party A in the agency list on the IAM console. |
|
agency_name |
Yes |
String |
Name of the agency created by delegating party A. For details about how to obtain the agency name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
No |
Object |
If this parameter is set to domain, the token can be used to access global services, such as OBS. Global services are not subject to any projects or regions. For details about the service scope, see System Permissions. You can specify either id or name. domain_id is recommended. |
|
|
No |
Object |
If this parameter is set to project, the token can be used to access only services in specific projects, such as ECS. For details about the service scope, see System Permissions. You can specify either id or name. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
id |
No |
String |
Account ID of delegating party A. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. You can specify either id or name. |
|
name |
No |
String |
Account name of delegating party A. For details about how to obtain the account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. You can specify either id or name. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
id |
No |
String |
Project ID of delegating party A. For details about how to obtain the project ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. You can specify either id or name. |
|
name |
No |
String |
Project name of delegating party A. For details about how to obtain the project name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. You can specify either id or name. |
Example Request
- Request for using a user token with Agent Operator permissions of IAM user IAMUserB of delegated party B (account name: IAMDomainB) to obtain another token to manage the resources of delegating party A (account name: IAMDomainA) in the ap-southeast-1 project through agency IAMAgency, without displaying catalog information in the response
POST https://iam.myhuaweicloud.com/v3/auth/tokens?nocatalog=true{ "auth": { "identity": { "methods": [ "assume_role" ], "assume_role": { "domain_name": "IAMDomainA", // Name of the account which the delegating party IAM user A belongs to "agency_name": "IAMAgency" // Name of the agency created by IAM user A } }, "scope": { "project": { "name": "ap-southeast-1" //Project name } } } } - Request for using a user token with Agent Operator permissions of IAM user IAMUserB of delegated party B (account name: IAMDomainB) to obtain another token to manage all resources of delegating party A (account name: IAMDomainA) through agency IAMAgency
POST https://iam.myhuaweicloud.com/v3/auth/tokens{ "auth": { "identity": { "methods": [ "assume_role" ], "assume_role": { "domain_name": "IAMDomainA", // Name of the account which the delegating party IAM user A belongs to "agency_name": "IAMAgency" // Name of the agency created by IAM user A } }, "scope": { "domain": { "name": "IAMDomainA" // Name of the account which the delegating party IAM user A belongs to } } } }
Response Parameters
|
Parameter |
Type |
Description |
|---|---|---|
|
X-Subject-Token |
String |
Signed token. |
|
Parameter |
Type |
Description |
|---|---|---|
|
Object |
Token information. |
|
Parameter |
Type |
Description |
|---|---|---|
|
methods |
Array of strings |
Method for obtaining the token. |
|
expires_at |
String |
Time when the token will expire.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
|
issued_at |
String |
Time when the token was issued.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
|
Object |
Information about delegated party B. |
|
|
Array of objects |
Catalog information. |
|
|
Object |
Account information about delegating party A. This parameter is returned only when the scope parameter in the request body has been set to domain. |
|
|
Object |
Project information about delegating party A. This parameter is returned only when the scope parameter in the request body has been set to project. |
|
|
Array of objects |
Permissions information of the token. |
|
|
Object |
Information about the agency created by delegating party A. |
|
Parameter |
Type |
Description |
|---|---|---|
|
Object |
Information about an IAM user of delegated party B. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
IAM username. |
|
id |
String |
IAM user ID. |
|
Object |
Account information about delegated party B. |
|
|
password_expires_at |
String |
Password expiration time of the IAM user. If this parameter is not specified, the password will never expire.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Account name of delegated party B. |
|
id |
String |
Account ID of delegated party B. |
|
Parameter |
Type |
Description |
|---|---|---|
|
Array of objects |
Endpoint information. |
|
|
id |
String |
Service ID. |
|
name |
String |
Service name. |
|
type |
String |
Type of the service which the API belongs to. |
|
Parameter |
Type |
Description |
|---|---|---|
|
id |
String |
Endpoint ID. |
|
interface |
String |
Visibility of the API. public indicates that the API is available for public access. |
|
region |
String |
Region which the endpoint belongs to. |
|
region_id |
String |
Region ID. |
|
url |
String |
Endpoint URL. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Account name of delegating party A. |
|
id |
String |
Account ID of delegating party A. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Project name of delegating party A. |
|
id |
String |
Project ID of delegating party A. |
|
Object |
Account information about delegating party A. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Account name of delegating party A. |
|
id |
String |
Account ID of delegating party A. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Permission name. |
|
id |
String |
Permission ID. The default value is 0, which does not correspond to any permission. |
Example Response
Status code: 201
The request is successful.
Example 1: Response to the request for using a user token with Agent Operator permissions of IAM user IAMUserB of delegated party B (account name: IAMDomainB) to obtain another token to manage all resources of delegating party A (account name: IAMDomainA) through agency IAMAgency
Example 2: Response to the request for using a user token with Agent Operator permissions of IAM user IAMUserB of delegated party B (account name: IAMDomainB) to obtain another token to manage the resources of delegating party A (account name: IAMDomainA) in the ap-southeast-1 project through agency IAMAgency, without displaying catalog information in the response
- Example 1
Parameters in the response header X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body { "token": { "expires_at": "2020-01-05T05:05:17.429000Z", "methods": [ "assume_role" ], "catalog": [ { "endpoints": [ { "id": "33e1cbdd86d34e89a63cf8ad16a5f49f", "interface": "public", "region": "*", "region_id": "*", "url": "https://iam.myhuaweicloud.com/v3.0" } ], "id": "100a6a3477f1495286579b819d399e36", "name": "iam", "type": "iam" } ], "domain": { "id": "d78cbac186b744899480f25bd022f468", "name": "IAMDomainA" }, "roles": [ { "id": "0", "name": "op_gated_eip_ipv6" }, { "id": "0", "name": "op_gated_rds_mcs" } ], "issued_at": "2020-01-04T05:05:17.429000Z", "user": { "domain": { "id": "d78cbac186b744899480f25bd022f468", "name": "IAMDomainA" }, "id": "0760a9e2a60026664f1fc0031f9f205e", "name": "IAMDomainA/IAMAgency" }, "assumed_by": { "user": { "domain": { "id": "a2cd82a33fb043dc9304bf72a0f38f00", "name": "IAMDomainB" }, "id": "0760a0bdee8026601f44c006524b17a9", "name": "IAMUserB", "password_expires_at": "" } } } } - Example 2
Parameters in the response header X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body { "token": { "expires_at": "2020-01-05T06:49:28.094000Z", "methods": [ "assume_role" ], "catalog": [], "roles": [ { "id": "0", "name": "op_gated_eip_ipv6" }, { "id": "0", "name": "op_gated_rds_mcs" } ], "project": { "domain": { "id": "d78cbac186b744899480f25bd022f468", "name": "IAMDomainA" }, "id": "aa2d97d7e62c4b7da3ffdfc11551f878", "name": "ap-southeast-1" }, "issued_at": "2020-01-04T06:49:28.094000Z", "user": { "domain": { "id": "d78cbac186b744899480f25bd022f468", "name": "IAMDomainA" }, "id": "0760a9e2a60026664f1fc0031f9f205e", "name": "IAMDomainA/IAMAgency" }, "assumed_by": { "user": { "domain": { "id": "a2cd82a33fb043dc9304bf72a0f38f00", "name": "IAMDomainB" }, "id": "0760a0bdee8026601f44c006524b17a9", "name": "IAMUserB", "password_expires_at": "" } } } }
Status code: 400
Invalid parameters.
{
"error": {
"code": 400,
"message": "The request body is invalid",
"title": "Bad Request"
}
}
Status code: 401
Authentication failed.
{
"error": {
"code": 401,
"message": "The X-Auth-Token is invalid!",
"title": "Unauthorized"
}
}
Status code: 403
Access denied.
- The user token specified in X-Auth-Token for user B of delegated party B does not have the Agent Operator permission. Please apply for the required permission.
{
"error": {
"code": 403,
"message": "You have no right to do this action",
"title": "Forbidden"
}
}
Status Codes
|
Status Code |
Description |
|---|---|
|
201 |
The request is successful. |
|
400 |
Invalid parameters. |
|
401 |
Authentication failed. |
|
403 |
Access denied. The possible cause of this error is that the delegated party does not have the Agent Operator permission.) |
|
404 |
The requested resource cannot be found. |
|
500 |
Internal server error. |
|
503 |
Service unavailable. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
