Guide

Manage many accounts with one API client

Suggest Edits

Typically, an API client can access only the account it's created for. However, sometimes you need to support your own sub-customers. Most Akamai APIs that use EdgeGrid authentication let you pass in an accountSwitchKey query parameter to call an API from a different account. With this parameter, you can manage any account you normally have access to in Control Center​.

Notes:

  • The Brand Protector, Case Management, DataStream 2, and SIEM Integration APIs don't support the accountSwitchKey.
  • The accountSwitchKey functionality isn't available when using a service account API client.

The accountSwitchKey parameter represents the specific accounts you want your call to apply to. If you have access to multiple account contexts, separate each account ID with a colon, like this: A-CCT1234:A-CCT5432.

Set up an API-managed client

To configure the accountSwitchKey, you need a special API client. This special client uses your ​Control Center​ roles and permissions, so you can use the APIs for the apps you have access to in Control Center.

If you want to change the group and role assignments for the API client, you need to use ​ Identity and Access Management in Control Center​. Depending on your level of access, you may need to contact an administrator to do it for you. The changes you make to your ​Control Center​ permissions cascade to the API client automatically and keep it in sync.

To set up this API client:

  1. Navigate to Identity and Access Management in Akamai Control Center, click Create API client, and choose to create an Advanced client.

  2. For Client options, select Let this client manage multiple accounts.

  3. Set the remainder of the permissions, and click Create API client.

  4. In the Accounts you can manage from this client section, search for the account name, and then copy the account switch key.

  5. In the Credentials section, download or copy and paste the credential information into an .edgerc file under a new [header].

    [my_managed_account]
client_secret = C113nt53KR3TN6N90yVuAgICxIRwsObLi0E67/N8eRN=
host = akab-h05tnam3wl42son7nktnlnnx-kbob3i3v.luna.akamaiapis.net
access_token = akab-acc35t0k3nodujqunph3w7hzp7-gtm6ij
client_token = akab-c113ntt0k3n4qtari252bfxxbsl-yvsdj

Add an account switch key

To see which accounts you can manage with your special API client, run the List your account switch keys operation on that client.

Alternatively, you can access your API client from Identity and Access Management in Control Center. For the special API client you've created, find the Accounts you can manage from this client section with the list of accounts and their switch keys.

When making an API call with your special API client, pass the accountSwitchKey query parameter in a requested URL.

python3 egcurl --eg-edgerc ~/.edgerc --eg-section my_managed_account --request GET \
    --url 'https://luna.akamaiapis.net/identity-management/v3/user-admin/groups?accountSwitchKey=A-CCT1234:A-CCT5432' \
    --header 'accept: application/json'

If you make an API call without passing a value for the accountSwitchKey parameter, the call applies to your API client's default account.

Work with multiple accounts

If you have multiple accounts, you can use the special API client's base set of credentials with different switch keys for each of the accounts you can manage.

When making an API call with your special API client's base set of credentials, just provide a different value for the accountSwitchKey parameter depending on which account you want to use.

python3 egcurl --eg-edgerc ~/.edgerc --eg-section base_managed_credentials --request GET \
   --url 'https://luna.akamaiapis.net/identity-management/v3/user-admin/groups?accountSwitchKey=A-CCT9876:A-CCT7890' \
   --header 'accept: application/json'

Note: If you'd like to find out how to use switch keys or set them up as environment variables using other tools, including Terraform and Powershell, see their documentation for details.

Keep in mind

  • Credentials on this API client expire on the same schedule as your account's password rotation policy. You can't edit the expiration date on these credentials, but you can create new credentials once they expire.

  • The credentials or tokens work the same for SAML SSO users as they do for non-SAML SSO users.

  • Since the API client uses the same role assignments as the Control Center user it belongs to, you can track its activity just like you would for the Control Center user.

  • You can't change the owner of this API client.

  • This API client no longer works once the user's Control Center account is locked or disabled.

Updated 18 days ago