Authentication of requests
Depending on product or its resource to work with Selectel products API and authenticate requests instead of login and password are used:
-
IAM tokens — prescribed service users. The lifetime of a token is 24 hours. IAM tokens are transferred in the header
X-Auth-Tokenand have a different scope:- IAM tokens for the account (
iam_token_account_scoped) — to manage the resources tied to the account; - IAM tokens for the project (
iam_token_project_scoped) — to manage resources tied to the project;
- IAM tokens for the account (
-
static tokens (
static_token) — discharged control panel users. Token lifetime is not limited. Used to manage resources bound to an account. Transmitted in the headerX-Token.
The address (URL) to be used in requests can be found at URL list.
You can restrict access to the API at addresses that include https://api.selectel.ru.
IAM token for account (X-Auth-Token)
The IAM token for an account can only be issued by service user.
The token is passed in the header X-Auth-Token.
IAM token for the account (iam_token_account_scoped) gives you access to the management of most Selectel products and OpenStack API objects in the same way as a login and password in the control panel my.selectel.ru.
Allows you to manage account resources.
The lifetime of the token is 24 hours.
The token allows you to control:
- users and roles (IAM) и federations;
- balance и consumption statistics;
- dedicated servers;
- OpenStack API objects (cloud servers, network disks, and others) using APIs cloud platform projects and resources, project quotas and limits, read more in OpenStack documentation;
- CDN;
- DNS hosting (legacy);
- mobile farm.
Get an IAM token for the account
It is possible to issue an IAM token for an account to service users with roles:
- Account Administrator;
- Billing Administrator;
- User Administrator;
- Account Supervisor.
If you are using Windows, replace single quotes in queries ('') to double (""). We also recommend using PowerShell for queries and not using CMD.
- Execute the request:
curl -i -XPOST \
-H 'Content-Type: application/json' \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"<username>","domain":{"name":"<account_id>"},"password":"<password>"}}},"scope":{"domain":{"name":"<account_id>"}}}}' \
'https://cloud.api.selcloud.ru/identity/v3/auth/tokens'
Specify:
<username>— the name of the service user. You can view the name in control panels: from the top menu, press Account and go to the section Users → tab Service users (the section is only available to the Account Owner and User Administrator);<account_id>— control panel account number. You can look in control panels in the upper right-hand corner;<password>— service user password, can be viewed during user creation or change to a new one.
If authorization is successful, a response with a code will be returned 201 Created in the format:
HTTP/2 201
X-Subject-Token: token
- In the header.
X-Subject-Tokenlook at the token.
IAM token for the project (X-Auth-Token)
The IAM token for a project can only be issued by service user.
The token is passed in the header X-Auth-Token.
IAM token for the project (iam_token_project_scoped) gives you access to the management of most Selectel products and OpenStack API objects in the same way as a login and password in the control panel my.selectel.ru.
Allows you to manage project resources.
The lifetime of the token is 24 hours.
The token allows you to control:
- dedicated servers;
- OpenStack API objects (cloud servers, network disks, and others) using APIs cloud platform projects and resources, cloud platform resources in the project, project quotas and limits, read more in OpenStack documentation;
- cloud-based platform-- cloud databases, Managed Kubernetes, Container Registry, secret manager (secrets, certificates, Let's Encrypt® certificates);
- object storage (Swift API и Selectel Storage API);
- DNS hosting;
- Selectel mail service;
- log platform;
- mobile farm.
Obtain an IAM token for the project
The IAM token for the project can be issued to service users with roles:
- Account Administrator;
- Billing Administrator;
- User Administrator;
- Account Supervisor;
- Project Administrator;
- Object Storage Administrator;
- Project Observer.
If you are using Windows, replace single quotes in queries ('') to double (""). We also recommend using PowerShell for queries and not using CMD.
- Execute the request:
curl -i -XPOST \
-H 'Content-Type: application/json' \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"<username>","domain":{"name":"<account_id>"},"password":"<password>"}}},"scope":{"project":{"name":"<project_name>","domain":{"name":"<account_id>"}}}}}' \
'https://cloud.api.selcloud.ru/identity/v3/auth/tokens'
Specify:
<username>— the name of the service user. You can view the name in control panels: from the top menu, press Account and go to the section Users → tab Service users (the section is only available to the Account Owner and User Administrator);<account_id>— control panel account number. You can look in control panels in the upper right-hand corner;<password>— service user password, can be viewed during user creation or change to a new one;<project_name>— project name.
If authorization is successful, a response with a code will be returned 201 Created in the format:
HTTP/2 201
X-Subject-Token: token
- In the header.
X-Subject-Tokencheck out the token.
Static token (X-Token)
The X-Token can only be issued control panel user.
The token is passed in the request in the header X-Token.
Static token (static_token) gives full access to the management of all Selectel products except OpenStack API objects, as well as login and password in the control panels my.selectel.ru.
The lifetime of the token is unlimited.
For APIs that do not support IAM token for the account и IAM token for the project the X-Token is the only one:
Get a static token
- В control panels from the top menu, press Account.
- Go to the section API Keys.
- Click Add key.
- Enter the name of the key.
- Click Add.