Cloud.com's EC2 API User's Guide

4/17/2010

Table of Contents


Part 1. Cloud.com's Specific Implementation Details

1. User Registration

To access Cloud.com's EC2 service via REST follow the instructions in Section 1.1. To access Cloud.com's EC2 service via SOAP follow instructions in both Section 1.1 and 1.2 below.

1.1 Setting Cloud.com API Keys

The EC2 service needs to be given the user's Cloud.com API access and secret keys [2] so that it can make Cloud.com API calls on the user's behalf. This is done by the following REST command. 
http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=SetUserKeys&accesskey=<key>&secretkey=<key>
SetUserKeys is an unauthorized REST call.
A HTTP 200 result code is returned on success and a 401 on failure.

1.2 Setting a User's X509 Certificate

EC2 uses WS-Security [4] for authentication on SOAP access. WS-Security signs the entire SOAP request using a public/private key pair. The user of Cloud.com's EC2 service must generate a public/private key pair with the public key defined in an X509 certificate. The private key is used by a SOAP client in generating the WS-Security signature of a SOAP request. The matching public key is stored on a server and is used to verify the signature on each request.

The following REST command must be used by a Cloud.com's EC2 service user to load their certificate into the service. No access via the SOAP API is possible until this step is performed. Also for this REST command to be successful the instructions in Section 1.1 must be performed first. 

http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=SetCertificate&AWSAccessKeyId=<Cloud.com API AccessKey>&cert=<pem encoded cert>
SetCertificate is an authenticated REST call using the same authentication scheme as all other EC2 REST calls. This means that the following standard EC2 REST paramters must also be part of the request: Signature, SignatureMethod, Version, SignatureVersion, and Expires [3].
A HTTP 200 result code is returned on success and a 404 on failure.

An example of a PEM encoded X509 Certificate is [5]: 

-----BEGIN CERTIFICATE-----
MIICdzCCAeCgAwIBAgIGAPCRHu3UMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0xMDA2MjMxODE4MTZaFw0xMTA2
MjMxODE4MTZaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
FQYDVQQLEw5BV1MtRGV2ZWxvcGVyczEVMBMGA1UEAxMMZWZieDQ0eXF1d3E2MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw+RO1QV7t5EbluyAAD11SoZ4ats5t
DBSta/QB3G9T0y3p2gURrYMDYVJ1BZmyel/DuMANx6UG6Vw+0o0SXOS3mH8Yu/lO
OOH9WxWiXulGMIrpPCiUpnWMrWhIlHu8mqLLhBx+5k4I92plMfH97BySunbv9zaf
ZRKXX3cXIYbUMwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCzKwCQvocPYFki/9
NORZFTsjcZ8wDQYJKoZIhvcNAQEFBQADgYEAXmIe6+XsNHYIiLGQO6dh8nvHHzDw
3sltNa7z6BSdNr7WDxpJg9oFUcddQVca1LZsjsqx6dIc1WxQUjPE9oOfSYqQZuMD
/GOpWyXMb/oJ2MLI1Vp1ABKhHoHUJmPOrIou4UbCifMeD7MFZkezkKDqqH3jQMjA
4YDNkSWLnJ9xba8=
-----END CERTIFICATE-----

To remove a previously loaded certificate the user can simply execute the following REST command. 

http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=DeleteCertificate&AWSAccessKeyId=<Cloud.com API AccessKey>
where the same value for the 'AWSAccessKeyId' parameter as was used in a previous call to SetCertificate.
DeleteCertificate is an authenticated REST call using the same authentication scheme (and having all the same required parameters) as all other EC2 REST calls.
A HTTP 200 result code is returned on success and a 404 on failure.

2. Endpoints

For SOAP access the endpoint is: 
http://<fqdn-or-ip>:<port>/bridge/services/AmazonEC2
For REST access the endpoint is: 
http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2

3. Differences between Amazon's and Cloud.com's EC2 Implementations

EC2's RegisterImage Function

This function maps to the Cloud.com's API "registerTemplate" function [2]. However the registerTemplate function requires the following additional parameters that are not present in the RegisterImage function: 

format - the format for the template. Possible values include QCOW2, RAW, and VHD.

osTypeId - the ID of the OS Type that best represents the OS of this template.

zoneId - the ID of the zone the template is to be hosted on.
These parameters must be provided for a successful registerTemplate call and thus a RegsiterImage call. To accomidate these values we have redefined the "architecture" parameter defined for RegisterImage. The Amazon defined valid values are: "i386 | x86_64" and it is of type xsd:string. Neither of these defined values has any meaning in the context of the Cloud.com API. The new definition of the architecture field is a three part value of the form: "<format>:<zoneName>:<osTypeName>", where ":" is the field delimitor. A valid example would be: "VHD:ZONE1:Centos 4.5". Cloud.com's EC2 code translates the "zoneName" value into a valid zoneId, and the "osTypeName" value into a matching osTypeId. In addition, whereas the architecture field is optional in Amazon's definition of RegisterImage, it is required in Cloud.com's modified version.

Another difference for the RegisterImage function concerns the use of the "imageLocation" parameter. As defined by Amazon [3]: 

imageLocation - a full path to your AMI manifest in Amazon S3 storage.
As defined for Cloud.com's EC2 implementation: 
imageLocation - is a URL of where the template is hosted. Possible URL include http:// and https://

EC2's DescribeInstances Function

Only the following list of filters are currently supported: 

availability-zone
hypervisor
image-id
instance-id
instance-type
instance-state-code
instance-state-name
ip-address	
owner-id
root-device-name

EC2's DescribeVolumes Function

Only the following list of filters are currently supported: 

attachment.attach-time
attachment.device
attachment.instance-id
availability-zone
create-time
size
snapshot-id
status
volume-id

EC2's DescribeSnapshots Function

Only the following list of filters are currently supported: 

owner-alias
owner-id (here its the CloudStack API key)
snapshot-id
start-time
status
volume-id
volume-size

EC2's DescribeSecurityGroups Function

Only the following list of filters are currently supported: 

description
group-id
group-name
ip-permission.cidr
ip-permission.from-port
ip-permission.to-port
ip-permission.protocol
owner-id

4. Miscellaneous

The EC2 service provides a Cloud.com extension to obtain the release version of the EC2 software. 
http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=CloudEC2Version
CloudEC2Version is an unauthorized REST call.
An example of a valid response from this function is: 
<CloudEC2Version>1.01</CloudEC2Version>


Part 2. Generic EC2 Details

List of EC2 Functions Implemented

Refer to the Amazon EC2 documentation [3] for a description of each function. Also see Part1, section 3 above, for differences between Amazon's and Cloud.com's EC2 implementations. 
AllocateAddress
AssociateAddress
AttachVolume 
AuthorizeSecurityGroupIngress
CreateImage 
CreateSecurityGroup
CreateSnapshot
CreateVolume
DeleteSecurityGroup
DeleteSnapshot  
DeleteVolume   
DeregisterImage   
DescribeAvailabilityZones  
DescribeImageAttribute   
DescribeImages   
DescribeInstanceAttribute  
DescribeInstances  
DescribeSecurityGroups
DescribeSnapshots   
DescribeVolumes  
DetachVolume
DisassociateAddress  
ModifyImageAttribute  
RebootInstances   
ReleaseAddress
RegisterImage  
RevokeSecurityGroupIngress
ResetImageAttribute   
RunInstances  
StartInstances  
StopInstances  
TerminateInstances

Supported WSDL Version

http://ec2.amazonaws.com/doc/2010-08-31/
Amazon EC2 Command Line Tool used for testing was version 1.3-57419.


References

  1. Public-key cryptograph
  2. Cloud.com's Developer API
  3. Amazon's EC2 API
  4. WS-Security
  5. X.509 Certificates