检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
You may encounter the following errors related to IAM authentication information: Incorrect IAM authentication information: verify aksk signature fail Incorrect IAM authentication information: AK access failed to reach the limit,forbidden Incorrect IAM authentication information:
Scheme Object (2.0)/Security Scheme Object (3.0) Swagger: securityDefinitions: apig-auth-app: in: header name: Authorization type: apiKey x-apigateway-auth-type: AppSigv1 apig-auth-iam: in: header name: unused type: apiKey x-apigateway-auth-type: IAM
AppSigv1 apig-auth-app-header: type: apiKey name: Authorization in: header x-apigateway-auth-opt: appcode-auth-type: header x-apigateway-auth-type: AppSigv1 apig-auth-iam: type: apiKey name: unused in: header x-apigateway-auth-type: IAM
Why Can't I Create a Header Parameter Named x-auth-token for an API Called Through IAM Authentication? The header parameter x-auth-token has already been defined in APIG. To use this parameter to call an API, add the parameter and its value to the request header.
Calling APIs Through IAM Authentication Token Authentication AK/SK Authentication
Configuring Two-factor Authentication (App + Custom) Scenario Two-factor authentication allows you to customize an API authentication policy together with the app or IAM authentication.
With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing APIG resources. Grant only the permissions required for users to perform a specific task.
Identity authentication Configure IAM or App authentication for APIs to prevent malicious calling. Access control policies Configure a whitelist or blacklist of IP addresses/IP address ranges or accounts for APIs to secure access.
Example Requests Delete whitelist records for a vpc endpoint service. { "permissions" : [ "iam:domain::7cc2018e40394f7c9692f1713e76234d" ] } Example Responses Status code: 200 OK { "permissions" : [ "iam:domain::930ba6b0ea64457e8ed1861e596c7a9a" ] } Status code: 401 Unauthorized
Example Requests Add whitelist records for a vpc endpoint service. { "permissions" : [ "iam:domain::7cc2018e40394f7c9692f1713e76234d" ] } Example Responses Status code: 200 OK { "permissions" : [ "iam:domain::930ba6b0ea64457e8ed1861e596c7a9a" ] } Status code: 401 Unauthorized
Developing a Custom Authorizer with FunctionGraph Scenario In addition to IAM and app authentication, APIG also supports custom authentication with your own authentication system, which can better adapt to your business capabilities.
A policy can be applied to IAM projects, enterprise projects, or both. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management.
IAM (token) Obtain the username and password for the cloud platform. IAM (AK/SK) Obtain the AK/SK of an account for the cloud platform and the signing SDK.
General Procedure Configuring the API Frontend Set the security authentication mode of the API frontend to Custom or enable Two-Factor Authentication (app or IAM authentication), and select a custom authorizer.
If your Huawei Cloud account does not require individual IAM users for permissions management, skip this chapter. IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
Parent topic: Calling APIs Through IAM Authentication
APIG.0301 Incorrect IAM authentication information. 401 The IAM authentication details are incorrect. Check the token by referring to Common Errors Related to IAM Authentication Information.
Replace {user_name} and {password} respectively with the username and password of the IAM server. {project_id}: The project ID.
For details about IAM authentication, see Using IAM Authentication to Call APIs. Scenario SDKs are used when you call APIs through app authentication. Download SDKs and related documentation and then call APIs by following the instructions in the documentation.
API calling through IAM authentication (token authentication): API callers obtain a token from the cloud service platform and add the token to their API requests.
