Sub Account overview

Available in Classic and VPC

Sub Account is a NAVER Cloud Platform service that provides sub accounts to enable multiple users to use and manage the same resources. The Sub Account service provides APIs for sub accounts, groups, policies, roles, and external access in the form of RESTful.

Common Sub Account settings

The following describes commonly used request and response formats in Sub Account APIs.

Request

The following describes the common request format.

API URL

The request API URL is as follows.

Sub accounts, groups, policies, roles: https://subaccount.apigw.ntruss.com
External access permissions: https://externalaccess.apigw.ntruss.com

Request headers

The following describes the headers.

Field	Required	Description
`x-ncp-apigw-timestamp`	Required	This is the number of milliseconds that have elapsed since January 1, 1970 00:00:00 UTC Request is considered invalid if the timestamp differs from the current time by more than 5 minutes Unix timestamp format
`x-ncp-iam-access-key`	Required	Access key issued on NAVER Cloud Platform Issue and check access key: See Create authentication key Issue and check access key for sub account: See Create sub account
`x-ncp-apigw-signature-v2`	Required	Base64-encoded signature that encrypts the request information with a secret key that maps to the access key issued on NAVER Cloud Platform, using the HMAC encryption algorithm (HmacSHA256) Issue and check secret key: See Create authentication key Create signature: See Create signature
`Accept`	Optional	Response data format `application/json`
`Content-type`	Optional	Request data format `application/json`

Response

The following describes the common response format.

Response data type

The following describes the common response date types.

ProcessResult
ProcessResult defines the API processing result. The following describes ProcessResult.

Field	Type	Required	Description
`success`	Boolean	Required	API processing result `true` \| `false` `true`: succeeded `false`: failed
`id`	String	Optional	Creation/modification result ID Use in creation, multiple addition/deletion APIs
`message`	String	Optional	API processing result message

The following is a sample syntax and response of ProcessResult.

Syntax

ProcessResult {
  Boolean success;
  String id;
  String message;
}

Examples
```
{
  "id": "",
  "success": true
}
```

ErrorResponse
ErrorResponse defines the details of a failure when an API call fails. The following describes ErrorResponse.

Field	Type	Required	Description
errorCode	Integer	Required	Required
message	String	Required	String

The following is a sample syntax and response of ErrorResponse.

Syntax

ErrorResponse {
  int errorCode;
  String message;
}

Examples

{
  "errorCode": 9011,
  "message": "The role name already exists."
}

Response status codes

The following describes the response status codes.

HTTP status code	Code	Message	Description
200	-	Maximum limit exceeded.	Maximum allowable value exceeded
400	120	Duplicate ID. Please enter a different ID.	Duplicate ID entered
400	30	Invalid subAccountId.	Non-existent sub account ID entered
400	30	The groupNo is invalid.	Non-existent group ID entered
400	400	Request format is not json	Input value format error
400	400	sessionExpirationDays is required, Request format is not json	Parameter input error
400	400	A maximum of 100 IP bands can be access restricted.	Maximum number of IP bands available exceeded Maximum number of IP bands for console access restriction is 100
400	400	Enter the role name: [roleName].	Role name missing Enter 3-100 characters
400	400	Enter a role name between 3 and 100 characters. : [roleName]	Role name character count error
400	400	Specify the role type: [roleType].	Role type input error Specify role type
400	400	Invalid role type.	Role type input error Specify allowed role type
400	400	isMyAccount is missing. : [isMyAccount]	`isMyAccount` parameter missing
400	9001	Enter the account name.	Account name missing or error
400	9001	Enter the login ID.	Login ID input required
400	9002	When the role type is Server, the session expiration time is not allowed.	Parameter input error Role type for which the session expiration time cannot be specified
400	9002	The session expiration time can only be set to [600, 1800, 3600, 10800] seconds.	Session expiration time input error
400	9010	Letters, numbers, and special characters ".", "_", and "-" are allowed, and you must enter a string that starts with a letter and is between 3 and 100 characters long.	Input value error 3-100 characters, including English letters, numbers, and special characters
400	9010	English lowercase letters and numbers are allowed. Enter between 3 and 20 characters.	URL format error 3-20 characters, English lowercase letters and numbers allowed
400	9011	The role name already exists.	Role name already in use entered
400	9015	Unsafe password.	Unavailable password entered
400	904	Invalid API key.	Non-existent access key entered
401	30	Invalid subAccountId.	Non-existent sub account ID entered
404	30	Invalid idNo.	Non-existent sub account ID entered
404	30	Invalid roleNo.	Non-existent role ID entered
404	404	This policy isn't registered.	Non-existent policy ID entered
404	910	There is an entity that does not match the role.	Application subject not matching role type
409	9012	The number of entities that can be registered in the target role has been exceeded.	Role application target exceeds the allowed number
409	9012	Maximum limit exceeded.	Maximum allowable value exceeded
500	500	Internal Server Error	Internal server error

Note

For response status codes common to NAVER Cloud Platform, see Ncloud API response status codes.

Sub Account API

The following describes the APIs provided by the Sub Account service.

Sub account

The following describes the sub account-related APIs.

API	Description
Get sub account list	Get sub account list
Get sub account	Get single sub account details
Create Sub Accounts	Create Sub Accounts
Edit sub account	Edit sub account information
Delete sub account	Delete sub account
Get access key	Get sub account access key
Create access key	Create sub account access key
Delete access key	Delete sub account access key
Set access key status	Enable or disable sub account access key
Get login access key	Get login access key used for sub account login address
Set login access key	Set login access key used for sub account login address
Check login ID	Check sub account login ID validity and duplication
Check login password	Check sub account login password validity and complexity
Get idle session expiration time	Get sub account idle session expiration time
Set idle session expiration time	Set sub account idle session expiration time
Get login password expiration date	Get sub account login password expiration date (change cycle)
Set login password expiration date	Set sub account login password expiration date (change cycle)
Reset login password	Edit sub account login password
Assign policy	Assign policy to sub account
Delete policy	Delete policy assigned to sub account
Add group	Add sub account to group
Delete group	Delete sub account from group
Get console access rule	Get sub account console access rule
Edit console access rule	Edit sub account console access rule
Get API access rule	Get sub account API access rule
Edit API access rule	Edit sub account API access rule
Get two-factor authentication information	Get sub account two-factor authentication information
Get tag	Get tag added to sub account
Add tag	Add tag to sub account
Delete tag	Delete tag added to sub account
Get user information	Get information of authorized sub account users
Get user ID	Get sub account ID

Group

The following describes the group-related APIs.

API	Description
Get group list	Get group list
Get group	Get single group details
Create group	Create group
Edit group	Edit group information
Delete group	Delete group
Add sub account	Add sub account to group
Delete sub account	Delete sub account from group
Assign policy	Assign policy to group
Delete policy	Delete policy assigned to group
Get tag	Get tag added to group
Add tag	Add tag to group
Delete tag	Delete tag added to group

Policy

The following describes the policy-related APIs.

API	Description
Get policy list	Get policy list
Get policy	Get single policy details
Check policy validity	Check validity of User Created policy
Create policy	Create User Created policy
Modify policy	Edit User Created policy information
Delete policy list	Bulk delete 2 or more User Created policies
Delete policy	Delete User Created policy
Get policy-assigned resource	Get resources assigned with policies (sub accounts, groups, roles)
Get tag	Get tag added to User Created policy
Add tag	Add tag to User Created policy
Delete tag	Delete tag added to User Created policy

Role

The following describes the role-related APIs.

API	Description
Get role list	Get role list
Get role	Get single role details
Create role	Create role
Edit role	Edit role information
Delete role	Delete role
Assign policy	Assign policy to role
Delete policy	Delete policy assigned to role
Get role (Account) application target	Get account role application target
Add role (Account) application target	Add account role application target
Delete role (Account) application target	Delete account role application target
Add role (Server, Service) application target	Add server and service role application target
Delete role (Server, Service) application target	Delete server and service role application target
Set role list status	Bulk enable or disable two or more roles
Set role status	Enable or disable role
Get tag	Get tag added to role
Add tag	Add tag to role
Delete tag	Delete tag added to role
Get switchable role	Get role that can be switched from a sub account
Register switchable role	Register role that can be switched from a sub account
Edit switchable role	Edit information of role that can be switched from a sub account
Delete switchable role	Delete role that can be switched from a sub account

External Access

The following describes the external access-related APIs.

API	Description
Get trust anchor list	Get trust anchor list
Get trust anchor	Get single trust anchor details
Create trust anchor	Create trust anchor
Edit trust anchor	Edit trust anchor information
Enable trust anchor	Enable trust anchor status
Disable trust anchor	Disable trust anchor status
Delete trust anchor	Delete trust anchor
Get profile list	Get profile list
Get profile	Get single profile details
Create profile	Create profile
Edit profile	Edit profile information
Enable profile	Enable profile status
Disable profile	Disable profile status
Delete profile	Delete profile
Get subject list	Get subject list
Get subject	Get single subject details
Get subject activity list	Get subject activity list (detailed usage history of certificates with the same subject)
Get CRL list	Get certificate revocation list (CRL) list
Get CRL	Get single certificate revocation list (CRL) details
Create CRL	Create certificate revocation list (CRL)
Edit CRL	Edit certificate revocation list (CRL) information
Enable CRL	Enable certificate revocation list (CRL)
Disable CRL	Disable certificate revocation list (CRL)
Delete CRL	Delete certificate revocation list (CRL)

Sub Account related resources

NAVER Cloud Platform provides a variety of related resources to help users better understand Sub Account APIs.

Sub Account API guides
- Create signature: how to create a signature to add to the request header
- API Gateway User Guide: how to issue the API key to be added to the request header
- Common Ncloud response status codes: information on common response status codes of NAVER Cloud Platform used by the Sub Account service
How to use the Sub Account service
- Sub Account User Guide: how to use Sub Account in the NAVER Cloud Platform console
- Ncloud use environment guide: guide for VPC and Classic environments and support availability
- Introduction to pricing, characteristics, and detailed features: the summary of pricing system, characteristics, and detailed features of Sub Account
- Latest service news: the latest news on the Sub Account service
- FAQ: frequently asked questions from the Sub Account service users
- Contact us: Send direct inquiries for unresolved questions that aren't answered by the API guide.