检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Common Errors Related to IAM Authentication Information You may encounter the following errors related to IAM authentication information: Incorrect IAM authentication information: verify aksk signature fail Incorrect IAM authentication information: AK access failed to reach the limit
Calling APIs Through IAM Authentication Token Authentication AK/SK Authentication
Replace {user_name} and {password} respectively with the username and password of the IAM server. {project_id}: The project ID.
Parent topic: Calling APIs Through IAM Authentication
Why Can't I Create a Header Parameter Named x-auth-token for an API Called Through IAM Authentication? The header parameter x-auth-token has already been defined in APIG. To use this parameter to call an API, add the parameter and its value to the request header.
With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing APIG resources. Grant only the permissions required for users to perform a specific task.
Identity authentication Configure IAM or App authentication for APIs to prevent malicious calling. Access control policies Configure a whitelist or blacklist of IP addresses/IP address ranges or accounts for APIs to secure access.
General Procedure Configuring the API Frontend Set the security authentication mode of the API frontend to Custom or enable Two-Factor Authentication (app or IAM authentication), and select a custom authorizer.
API calling through IAM authentication (token authentication): API callers obtain a token from the cloud service platform and add the token to their API requests.
If your Huawei Cloud account does not require individual IAM users for permissions management, skip this chapter. IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
A policy can be applied to IAM projects, enterprise projects, or both. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management.
For details about IAM authentication, see Using IAM Authentication to Call APIs. Scenario SDKs are used when you call APIs through app authentication. Download SDKs and related documentation and then call APIs by following the instructions in the documentation.
SDKs APIG supports API authentication based on IAM, apps, and custom authorizers. You can also choose not to authenticate API requests. For details about the differences between the four modes and how to select one, see Calling APIs.
In addition to IAM and app authentication, APIG also supports custom authentication with your own authentication system, which can better adapt to your business capabilities. Custom authentication is implemented using the FunctionGraph service.
AppSigv1 and IAM are supported. type Yes String Authentication type. Only apiKey is supported. name Yes String Name of the parameter for authentication. in Yes String Only header is supported. description No String Description about the authentication.
APIG.0301 Incorrect IAM authentication information. 401 The IAM authentication details are incorrect. Check the token by referring to Common Errors Related to IAM Authentication Information.
Example Requests Delete whitelist records for a vpc endpoint service. { "permissions" : [ "iam:domain::7cc2018e40394f7c9692f1713e76234d" ] } Example Responses Status code: 200 OK { "permissions" : [ "iam:domain::930ba6b0ea64457e8ed1861e596c7a9a" ] } Status code: 401 Unauthorized
Example Requests Add whitelist records for a vpc endpoint service. { "permissions" : [ "iam:domain::7cc2018e40394f7c9692f1713e76234d" ] } Example Responses Status code: 200 OK { "permissions" : [ "iam:domain::930ba6b0ea64457e8ed1861e596c7a9a" ] } Status code: 401 Unauthorized
Account ID: Control IAM authentication–based API access by account ID, not IAM user ID. Configure a single or multiple account IDs separated by commas (,). Each account ID contains 32 characters (letters and digits), separated by commas (,). Max. 1,024 characters.
IAM (token) Obtain the username and password for the cloud platform. IAM (AK/SK) Obtain the AK/SK of an account for the cloud platform and the signing SDK.
