cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prachi Damle <>
Subject RE: AWS EC2 Compatibility Interface
Date Tue, 04 Feb 2014 19:08:36 GMT
Hi Ian,

For EC2 REST authentication you do not need to use the script cloudstack-aws-api-register
- the script is useful for SOAP only to register the certificate.
For REST you just need the keys that you can obtain by logging in to CloudStack UI as a root
admin and generate the signature for the API call as you have mentioned.

This will provide some information on how to make the call using Boto and other tools


-----Original Message-----
From: Ian Duffy [] 
Sent: Monday, February 03, 2014 10:55 PM
To: CloudStack Dev
Cc: Sebastien Goasguen
Subject: AWS EC2 Compatibility Interface

Hi Guys,

Question for you about the authentication of users using the EC2 REST Servlet exposed by the

From what I understand, an EC2 REST client will make a request to the servlet with their Cloudstack
API key, a HMAC Signature for the EC2 request and other parameters such as the action, a timestamp,
possible action parameters etc. Since the Cloudstack API uses different parameters we cannot
reuse the signature, introducing the requirement for the one time AWS API User Registration.

From briefly looking at the EC2 Compatibility Interface layer I understand the flow to be
as follows:

1) Get all the parameters for the EC2 API request.
2) Look up the users API Key in the compatibility Interface layer database get their secret
3) Verify signature by attempting to re-encode the parameters excluding the signature using
the API Key and the secret key, if passed continue to process request.

Is this correct or am I missing something?

As a personal preference do you prefer hitting the API call SetUserKeys or using the script
cloudstack-aws-api-register to register users within the database?

View raw message