Help Center/ Huawei Cloud Flexus_Huawei Cloud Flexus L Instance/ FAQs/ Product Consulting/ How Can I Use Temporary Access Keys of a FlexusL Instance Agency to Access Other Cloud Services?
Updated on 2025-10-31 GMT+08:00
View PDF
Share

How Can I Use Temporary Access Keys of a FlexusL Instance Agency to Access Other Cloud Services?

Scenarios

Assume that you are a developer working on an application that runs on a FlexusL instance. The code in the application needs to call APIs to access Huawei Cloud services. In this case, the application requires access credentials.

Access credentials can be classified into permanent and temporary credentials based on their validity periods. Temporary access credentials have a shorter validity period and are updated frequently, so they are more secure than permanent access credentials (such as usernames and passwords). Your application can obtain temporary access credentials through a cloud service agency created for a FlexusL instance on the IAM console to access cloud services in a more secure way.

Figure 1 Obtaining temporary credentials

Figure 1 shows how to access a database service. The database service requires the access requester to provide access credentials. To obtain temporary credentials of the agency, the application sends a request to the metadata service. The metadata service obtains a temporary AK/SK of the agency from IAM and then returns the AK/SK to the application. The application then sends the AK/SK to the database service. The database service allows access only after checking that the AK/SK is valid.

Solution

To enable the application running on the FlexusL instance to obtain the temporary AK/SK of an agency, create an agency on the IAM console and specify the permissions and scope for the agency. Configure the agency for the FlexusL instance where the application is running. Then the application can apply for the temporary AK/SK of the agency to access resources based on the assigned permissions. The details are as follows:

  1. On the IAM console, create a cloud service agency for FlexusL and select the permissions and scope for the agency.
  2. Call the API for updating metadata to configure the agency for the FlexusL instance.
  3. Obtain the temporary AK/SK of the agency so that the FlexusL application can obtain the agency permissions to access other Huawei Cloud services based on the assigned permissions in the authorized scope.

Procedure

  1. Create a cloud service agency as the administrator.

    1. Log in to the IAM console.
    2. On the IAM console, choose Agencies from the navigation pane on the left, and click Create Agency on the displayed page.
    3. Enter an agency name.
    4. Select Cloud service for Agency Type and Elastic Cloud Server (ECS) and Bare Metal Server (BMS) for Cloud Service.
      Figure 2 Creating an agency
    5. Set a validity period.
    6. (Optional) Enter a description for the agency. This option is recommended.
    7. Click OK.
    8. In the displayed dialog box, click Authorize.
    9. Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
    10. Click OK. The agency is created.

  2. Configure the agency for the FlexusL instance as the administrator or an IAM user granted with FlexusL permissions.

    Call the API for updating metadata and update agency_name in metadata to the new agency name.

    Figure 3 Online debugging for agency configuration
    Table 1 API parameters for agency configuration

    Parameter

    Description

    Example

    Region

    Region.

    Select the region where the FlexusL instance is located.

    CN-Hong Kong

    project_id

    Project ID.

    For details about how to obtain the project ID, see Obtaining a Project ID.

    2b31ed520xxxxxxebedb6e57xxxxxxxx

    server_id

    FlexusL instance ID. For details about how to obtain the FlexusL instance ID, see Where Can I View the FlexusL Instance ID and Cloud Server ID Packaged in the FlexusL Instance?.

    e6b99563-xxxx-xxxx-xxxx-1820d4fd2a67

    metadata

    User-defined metadata key-value pair.

    For details about the metadata data structure, see "metadata Field Description for Creating ECSs" in Data Structure for Creating ECSs. Update agency_name in metadata to the new agency name.

    Key: agency_name

    Value: L_test

    If the name of the created agency is L_test, the example request is as follows:

    {
    "metadata": {
        "agency_name": "L_test"
    }
}

  3. Enable applications running on the FlexusL instance to get temporary credentials.

    Call an API to obtain temporary credentials to of the agency to access other Huawei Cloud services. For details, see Security Key (OpenStack Metadata API).

    • URI

    /openstack/latest/securitykey

    • Method

    GET request

    • Example

    Linux:

    curl http://169.254.169.254/openstack/latest/securitykey

    Windows:

    Invoke-RestMethod http://169.254.169.254/openstack/latest/securitykey

    FlexusL automatically rotates temporary credentials to ensure that they are secure and valid.

Parent Topic: Product Consulting