Request Authentication
Depending on the product or its resource, login and password are used instead of login and password to work with the Selectel Products API and authenticate requests:
-
IAM tokens — issued to service users. Token lifetime is 24 hours. IAM-tokens are transmitted in the
X-Auth-Tokenheader and have different validity range:- IAM tokens for the account (
iam_token_account_scoped) — for managing resources bound to the account; - IAM tokens for the project (
iam_token_project_scoped) — for managing resources tied to the project;
- IAM tokens for the account (
-
static tokens (
static_token) — issued to control panel users.. Token lifetime is not limited. They are used to manage resources bound to the account. Passed in the headerX-Token.
The address (URL) to refer to in requests can be viewed in the URL list.
You can restrict API access to addresses that include https://api.selectel.ru.
IAM token for account (X-Auth-Token)
An IAM token for an account can only be issued to a service user.
The token is passed in the X-Auth-Token header.
IAM account token (iam_token_account_scoped) gives access to the management of most Selectel products and OpenStack API objects on par with login and password in the my.selectel.ru control panel .Allows to manage account resources.
The lifetime of the token is 24 hours.
The token allows you to control:
- users and roles (IAM) и federations;
- balance и consumption statistics;
- dedicated servers;
- OpenStack API objects (cloud servers, network disks and others) using API projects and cloud platform resources, project quotas and limits, more details in OpenStack documentation;
- CDN;
- DNS hosting (legacy);
- a mobile farm.
Get an IAM token for the account
It is possible to issue an IAM token for an account to service users with roles:
- Account Administrator;
- Billing Administrator;
- User Admin;
- Account Supervisor.
If you are using Windows, replace single quotes ('') with double quotes ("") in queries. We also recommend that you use PowerShell for queries and do not use CMD.
- Execute the request:
curl -i -XPOST \
-H 'Content-Type: application/json' \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"<username>","domain":{"name":"<account_id>"},"password":"<password>"}}},"scope":{"domain":{"name":"<account_id>"}}}}' \
'https://cloud.api.selcloud.ru/identity/v3/auth/tokens'
Specify:
<username>— the name of the service user. You can view the name in the control panel: in the top menu, click Account and go to Users → tab Service Users (the section is available only to the Account Owner and User Administrator);<account_id>— control panel account number. Can be viewed in control panel in the upper right corner;<password>— service user password, can be viewed when creating a user or changed to a new one. change it to a new one.
A successful authorization will return a response with a 201 Created code in the format:
HTTP/2 201
X-Subject-Token: token
- In the
X-Subject-Tokenheader, look for the token.
IAM token for the project (X-Auth-Token)
The IAM token for a project can only be issued to a service user.
The token is passed in the X-Auth-Token header.
IAM token for the project (iam_token_project_scoped) gives access to the management of most Selectel products and OpenStack API objects on the same level as login and password in the my.selectel.ru control panel .Allows to manage project resources.
The lifetime of the token is 24 hours.
The token allows you to control:
- dedicated servers;
- OpenStack API objects (cloud servers, network disks and others) using API projects and cloud platform resources, cloud platform resources in a project, project quotas and limits, more details in OpenStack documentation;
- cloud platform — cloud databases, Managed Kubernetes, Container Registry, secrets manager ( secrets, certificates, Let's Encrypt® certificates);
- object storage (Swift API and Selectel Storage API);
- DNS hosting;
- with Selectel mail service;
- the log platform;
- 1C cloud ready;
- a mobile farm.
Obtain an IAM token for the project
The IAM token for a project can be issued to service users with roles:
- Account Administrator;
- Billing Administrator;
- User Administrator;
- Account Supervisor;
- Project Administrator;
- Object Storage Administrator;
- Project Observer.
If you are using Windows, replace single quotes ('') with double quotes ("") in queries. We also recommend that you use PowerShell for queries and do not use CMD.
- Execute the request:
curl -i -XPOST \
-H 'Content-Type: application/json' \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"<username>","domain":{"name":"<account_id>"},"password":"<password>"}}},"scope":{"project":{"name":"<project_name>","domain":{"name":"<account_id>"}}}}}' \
'https://cloud.api.selcloud.ru/identity/v3/auth/tokens'
Specify:
<username>— the name of the service user. You can view the name in the control panel: in the top menu, click Account and go to Users → tab Service Users (the section is available only to the Account Owner and User Administrator);<account_id>— control panel account number. Can be viewed in control panel in the upper right corner;<password>— service user password, can be viewed when creating a user or change it to a new one;<project_name>— project name.
A successful authorization will return a response with a 201 Created code in the format:
HTTP/2 201
X-Subject-Token: token
- In the
X-Subject-Tokenheader, look for the token.
Static token (X-Token)
An X-Token can only be issued to a control panel user.
The token is passed in the request in the X-Token header.
A static token (static_token) gives full access to the management of all Selectel products, except for OpenStack API objects, as well as login and password in the my.selectel.ru control panel.
The lifetime of the token is unlimited.
For APIs that do not support IAM token for account and IAM token for project, X-Token is the only one:
Get a static token
- In the control panel, on the top menu, click Account.
- Go to API Keys.
- Click Add Key.
- Enter the name of the key.
- Click Add.