Using the SOAP API
Topics
WSDL and Schema Definitions
The Amazon EC2 web service can be accessed using the SOAP web services messaging protocol. This interface is described by a Web Services Description Language (WSDL) document which defines the operations and security model for the service. The WSDL references an XML Schema document which strictly defines the data types that might appear in SOAP requests and responses. For more information on WSDL and SOAP, see Web Services References.
All schemas have a version number (the latest is 2009-03-01). The version number appears in the URL of a schema file, and in a schema's target namespace. This makes upgrading easy by differentiating requests based on the version number.
Note | |
---|---|
In addition to the latest version, the service will support the older versions for some time, allowing customers plenty of time to upgrade. |
The Amazon EC2 services API WSDL is available from the web at 'http://ec2.amazonaws.com/doc/<version>/ec2.wsdl' where version is the version of the API. At the time this document was released, the current API version was 2009-03-01, which is available at http://ec2.amazonaws.com/doc/2009-03-01/AmazonEC2.wsdl
Programming Language Support in Amazon EC2
Since the SOAP requests and responses in the Amazon EC2 Web Service follow current standards, any programming language with the appropriate library support can be used. Languages known to have this support include C++, C#, Java, Perl, Python and Ruby.
Request Authentication
The Amazon EC2 web service requires all SOAP requests to be sent over HTTPS. In addition, the service complies with the current WS-Security standard, requiring SOAP request messages to be hashed and signed for integrity and non-repudiation. WS-Security defines profiles which are used to implement various levels of security. Amazon EC2 secure SOAP messages use the BinarySecurityToken profile, consisting of an X.509 certificate with an RSA public key.
The following is the content of an insecure RunInstances
operation:
<RunInstances xmlns="http://ec2.amazonaws.com/doc/2009-03-01/"> <instancesSet> <item> <imageId>ami-60a54009</imageId> <minCount>1</minCount> <maxCount>3</maxCount> </item> </instancesSet> <groupSet/> </RunInstances>
To secure the request, we add the BinarySecurityToken element. The Java libraries we supply rely on the Apache Axis project for XML security, canonicalization, and SOAP support. The Sun Java Web Service Developer's Pack supplies libraries of equivalent functionality.
The secure version of the request begins with the following:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1064304">....many, many lines of base64 encoded X.509 certificate...</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI="#id-17984263"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>0pjZ1+TvgPf6uG7o+Yp3l2YdGZ4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-15778003"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>HhRbxBBmc2OO348f8nLNZyo4AOM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>bmVx24Qom4kd9QQtclxWIlgLk4QsQBPaKESi79x479xgbO9PEStXMiHZuBAi9luuKdNTcfQ8UE/d jjHKZKEQRCOlLVy0Dn5ZL1RlMHsv+OzJzzvIJFTq3LQKNrzJzsNe</ds:SignatureValue> <ds:KeyInfo Id="KeyId-17007273"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22438818"> <wsse:Reference URI="#CertId-1064304" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"> </wsse:Reference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-17984263"> <wsu:Created>2006-06-09T10:57:35Z</wsu:Created> <wsu:Expires>2006-06-09T11:02:35Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </SOAP-ENV:Header>
If you are matching this against requests generated by Amazon EC2 supplied libraries, or those of another vendor, the following are the most important elements:
Elements
-
BinarySecurityToken—Contains the X.509 certificate in base64 encoded PEM format
-
Signature—Contains an XML digital signature created using the canonicalization, signature algorithm, and digest method
-
Timestamp—Requests to Amazon EC2 are valid within 5 minutes of this value to help prevent replay attacks
The Response Structure
In response to a request, the Amazon EC2 web service returns an XML data structure that conforms
to an XML schema defined as part of the Amazon EC2 WSDL. The
structure of a XML response is specific to the associated request. In general, the response data
types are named according to the operation performed and whether the data type is a container (can
have children). Examples of containers include groupSet
for security groups and
instancesSet
for instances. Item elements are children of containers and their
contents vary according to the container's role.
The following is an example response:
<RunInstancesResponse xmlns="http://ec2.amazonaws.com/doc/2009-03-01/"> <reservationId>r-47a5402e</reservationId> <ownerId>UYY3TLBUXIEON5NQVUUX6OMPWBZIQNFM</ownerId> <groupSet> <item> <groupId>default</groupId> </item> </groupSet> <instancesSet> <item> <instanceId>i-2ba64342</instanceId> <imageId>ami-60a54009</imageId> <instanceState> <code>0</code> <name>pending</name> </instanceState> <dnsName></dnsName> </item> <item> <instanceId>i-2bc64242</instanceId> <imageId>ami-60a54009</imageId> <instanceState> <code>0</code> <name>pending</name> </instanceState> <dnsName>ec2-67-202-51-176.compute-1.amazonaws.com </dnsName> </item> <item> <instanceId>i-2be64332</instanceId> <imageId>ami-60a54009</imageId> <instanceState> <code>0</code> <name>pending</name> </instanceState> <dnsName>ec2-67-202-51-122.compute-1.amazonaws.com</dnsName> <keyName>example-key-name</keyName> <instanceType>m1.small</instanceType> <launchTime>2007-08-07T11:54:42.000Z</launchTime> </item> </instancesSet> </RunInstancesResponse>