Request authentication
Depending on the product or its resource, the following are used instead of a username and password to work with Selectel product APIs and authenticate requests:
-
IAM tokens are issued to service users. Token lifetime is 24 hours. IAM tokens are passed in the
X-Auth-Tokenheader and have different scopes:- Account IAM tokens (
iam_token_account_scoped) — for managing resources linked to the account; - Project IAM tokens (
iam_token_project_scoped) — for managing resources linked to the project;
- Account IAM tokens (
-
static tokens (
static_token) — issued to users with access to the control panel and used to manage resources linked to the account. Token lifetime is unlimited. Static tokens are passed in theX-Tokenheader.
The request URL can be found in the list of URLs.
You can limit API access to addresses that include https://api.selectel.ru.
Account IAM token (X-Auth-Token)
An account IAM token can only be issued to a service user.
The token is passed in the X-Auth-Token header.
An account IAM token (iam_token_account_scoped) provides access to manage most Selectel products and OpenStack API objects, similar to using a username and password in the my.selectel.ru control panel. It allows you to manage account resources.
Token lifetime is 24 hours.
The token allows you to manage:
- users and roles (IAM) and federations;
- balance and usage statistics;
- dedicated servers;
- OpenStack API objects (cloud servers, network volumes, and others) using the 1 cloud platform projects and resources, project quotas and limits API; learn more in the OpenStack documentation;
- global router;
- DNS hosting (legacy);
- mobile farm.
Get an account IAM token
An account IAM token can be issued to service users that have a permission with the Account scope selected.
If you are using Windows, replace single quotes ('') with double quotes ("") in your requests. We also recommend using PowerShell for requests instead of CMD.
- Perform the request:
curl -i -XPOST \
-H 'Content-Type: application/json' \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"<username>","domain":{"name":"<account_id>"},"password":"<password>"}}},"scope":{"domain":{"name":"<account_id>"}}}}' \
'https://cloud.api.selcloud.ru/identity/v3/auth/tokens'
Specify:
<username>— service user name. You can find the name in the control panel: in the top menu, click IAM → Service Users section (the section is available only to the account owner and users with theiam.adminrole);<account_id>— account number. You can find it in the control panel in the upper-right corner;<password>— service user password; you can see it when creating a user or change it to a new one.
Upon successful authentication, you will receive a 201 Created response in the following format:
HTTP/2 201
X-Subject-Token: token
- Check the
X-Subject-Tokenheader for the token.
Project IAM token (X-Auth-Token)
A project IAM token can only be issued to a service user.
The token is passed in the X-Auth-Token header.
A project IAM token (iam_token_project_scoped) provides access to manage most Selectel products and OpenStack API objects, similar to using a username and password in the my.selectel.ru control panel. It allows you to manage project resources.
Token lifetime is 24 hours.
The token allows you to manage:
- dedicated servers;
- OpenStack API objects (cloud servers, network volumes, and others) using the 1 cloud platform projects and resources, project quotas and limits API; learn more in the OpenStack documentation;
- cloud platform — Managed Databases, Managed Kubernetes, Container Registry, secrets manager (secrets, certificates, Let's Encrypt® certificates);
- S3 (Swift API and Object Storage API);
- DNS hosting;
- Selectel email service;
- Cloud for 1C;
- audit logs.
Get a project IAM token
A project IAM token can be issued to service users that have a permission where:
- the Account scope is selected;
- or the Projects scope is selected and the required project is chosen.
If you are using Windows, replace single quotes ('') with double quotes ("") in your requests. We also recommend using PowerShell for requests instead of CMD.
- Perform the request:
curl -i -XPOST \
-H 'Content-Type: application/json' \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"<username>","domain":{"name":"<account_id>"},"password":"<password>"}}},"scope":{"project":{"name":"<project_name>","domain":{"name":"<account_id>"}}}}}' \
'https://cloud.api.selcloud.ru/identity/v3/auth/tokens'
Specify:
<username>— service user name. You can find the name in the control panel: in the top menu, click IAM → Service Users section (the section is available only to the account owner and users with theiam.adminrole);<account_id>— account number. You can find it in the control panel in the upper-right corner;<password>— service user password; you can see it when creating a user or change it to a new one;<project_name>— project name.
Upon successful authentication, you will receive a 201 Created response in the following format:
HTTP/2 201
X-Subject-Token: token
- Check the
X-Subject-Tokenheader for the token.
Static token (X-Token)
An X-Token can only be issued to a user with access to the control panel.
The token is passed in the request header X-Token.
A static token (static_token) provides full access to manage all Selectel products, except for OpenStack API objects, similar to using a username and password in the my.selectel.ru control panel.
Token lifetime is unlimited.
For APIs that do not support account IAM tokens and project IAM tokens, the static token is the only method for:
Get a static token
- In the control panel, in the upper-right corner, open the menu (account number) and select Profile.
- Go to the Access section → API Keys tab.
- Click Add key.
- Enter the key name.
- Click Add.