Regular security group

Updated at：2025-10-16

Initialization

Confirm Endpoint

Before using the SDK, read the developer guide section on Regular Security Group Access Domain to understand endpoint-related concepts. Baidu AI Cloud currently supports multiple regions. Please refer toRegion Selection Guide.

Currently supported regions are: "North China-Beijing," "South China-Guangzhou," "East China-Suzhou," "Hong Kong," "Central Finance-Wuhan," and "North China-Baoding." Corresponding details:

Access region	Endpoint	Protocol
BJ	bcc.bj.baidubce.com	HTTP and HTTPS
GZ	bcc.gz.baidubce.com	HTTP and HTTPS
SU	bcc.su.baidubce.com	HTTP and HTTPS
HKG	bcc.hkg.baidubce.com	HTTP and HTTPS
FWH	bcc.fwh.baidubce.com	HTTP and HTTPS
BD	bcc.bd.baidubce.com	HTTP and HTTPS

Retrieve access key

To use Baidu AI Cloud's regular security group, a valid AK (Access Key ID) and SK (Secret Access Key) are required for signature authentication. AK/SK are system-assigned strings used to identify users and validate access to the regular security group.

Your AK/SK information can be obtained and understood through the following steps:

Create AK/SK

Create Sg client

The Sg client facilitates interaction with the regular security group service by providing developers with a range of methods.

Create Sg client with AK/SK

Users can refer to the following code to create Sg client to access regular security group with AK/SK:

1import (
2	"github.com/baidubce/bce-sdk-go/services/bcc"
3)
4func main() {
5 // User’s Access Key ID and Secret Access Key
6	ACCESS_KEY_ID, SECRET_ACCESS_KEY := <your-access-key-id>, <your-secret-access-key>
7 // User-specified Endpoint
8	ENDPOINT := <domain-name>
9 // Initialize Sg client
10	sgClient, err := bcc.NewClient(AK, SK, ENDPOINT)
11}

In the code above, ACCESS_KEY_ID corresponds to “Access Key ID” in the console. SECRET_ACCESS_KEY corresponds to “Access Key Secret” in the console. Refer to the Guide - How to Retrieve AKSK. The third parameter ENDPOINT is a user-specified domain name. If left empty, the default domain name will be used as the Sg service address.

Note:The endpoint parameter must be defined with the domain name of the specified region. For example, if the service is located in Beijing, the endpoint will be http://bcc.bj.baidubce.com.

Create Sg client with STS

Request STS Token

Using the STS mechanism, Sg allows temporary access authorization for third parties. STS (Security Token Service) is a temporary authorization service provided by Baidu AI Cloud. It issues access credentials with customized validity periods and permissions for third-party users, enabling them to call Baidu AI Cloud APIs or SDKs directly to access cloud resources.

To access a regular security group via STS, users must first use the STS client to request a certification string.

Create Sg client with STS Token

After acquiring the STS token, configure it in the Sg client to enable creation of an Sg client based on the STS token.

Code example

The GO SDK implements the STS service API. Below is a complete example for requesting an STS token and creating Sg client object:

1import (
2	"fmt"
3 "github.com/baidubce/bce-sdk-go/auth"                    //Import the authentication module
4 "github.com/baidubce/bce-sdk-go/services/bcc" //Import BCC service module
5 "github.com/baidubce/bce-sdk-go/services/sts"            //Import the Baige service module
6)
7func main() {
8 //Create a Client object for the STS service, using the default Endpoint
9	AK, SK := <your-access-key-id>, <your-secret-access-key>
10	stsClient, err := sts.NewClient(AK, SK)
11	if err != nil {
12		fmt.Println("create sts client object :", err)
13		return
14	}
15 //Obtain a temporary authentication token with a validity period of 60 seconds and an empty ACL
16	stsObj, err := stsClient.GetSessionToken(60, "")
17	if err != nil {
18		fmt.Println("get session token failed:", err)
19		return
20    }
21	fmt.Println("GetSessionToken result:")
22	fmt.Println("  accessKeyId:", stsObj.AccessKeyId)
23	fmt.Println("  secretAccessKey:", stsObj.SecretAccessKey)
24	fmt.Println("  sessionToken:", stsObj.SessionToken)
25	fmt.Println("  createTime:", stsObj.CreateTime)
26	fmt.Println("  expiration:", stsObj.Expiration)
27	fmt.Println("  userId:", stsObj.UserId)
28 //Create a BCC Client object using the requested temporary STS, with the default endpoint
29	sgClient, err := bcc.NewClient(stsObj.AccessKeyId, stsObj.SecretAccessKey, "bcc.bj.baidubce.com")
30	if err != nil {
31		fmt.Println("create bcc client failed:", err)
32		return
33	}
34	stsCredential, err := auth.NewSessionBceCredentials(
35		stsObj.AccessKeyId,
36		stsObj.SecretAccessKey,
37		stsObj.SessionToken)
38	if err != nil {
39		fmt.Println("create sts credential object failed:", err)
40		return
41	}
42	sgClient~~~~.Config.Credentials = stsCredential
43}

Note: Currently, when configuring the Sg client using STS, regardless of the endpoint location of the regular security group service, the STS endpoint must be configured as http://sts.bj.baidubce.com. The above code adopts this default value when creating the STS Object.

Configure HTTPS protocol to access regular security group

Regular security group supports the HTTPS protocol. By specifying HTTPS in the endpoint when creating a Sg client object, users can access the regular security group service via HTTPS in the Sg GO SDK:

1// import "github.com/baidubce/bce-sdk-go/services/bcc"
2 ENDPOINT := ""https://bcc.bj.baidubce.com" // Specify the use of HTTPS protocol
3AK, SK := <your-access-key-id>, <your-secret-access-key>
4sgClient, _ := bcc.NewClient(AK, SK, ENDPOINT)

Configure Sg client

If users need to configure specific parameters for the Sg client, they can customize the configuration using the exported Config field of the Sg client object after its creation. This allows for configuring parameters such as proxy and maximum number of connections for the client.

Use a proxy

The following code snippet enables the client to access regular security group service using a proxy:

1// import "github.com/baidubce/bce-sdk-go/services/bcc"
2 // Create Sg client object
3AK, SK := <your-access-key-id>, <your-secret-access-key>
4ENDPOINT := "bcc.bj.baidubce.com"
5client, _ := bcc.NewClient(AK, SK, ENDPOINT)
6 // Use the local port 8080 for the proxy
7client.Config.ProxyUrl = "127.0.0.1:8080"

Set network parameters

Users can configure network parameters using the following example code:

1// import "github.com/baidubce/bce-sdk-go/services/bcc"
2AK, SK := <your-access-key-id>, <your-secret-access-key>
3ENDPOINT := "bcc.bj.baidubce.com"
4client, _ := bcc.NewClient(AK, SK, ENDPOINT)
5 // Configure to not retry, default: Back Off retry
6client.Config.Retry = bce.NewNoRetryPolicy()
7 // Configure connection timeout to 30 seconds
8client.Config.ConnectionTimeoutInMillis = 30 * 1000

Configure options for generating signature strings

1// import "github.com/baidubce/bce-sdk-go/services/bcc"
2AK, SK := <your-access-key-id>, <your-secret-access-key>
3ENDPOINT := "bcc.bj.baidubce.com"
4client, _ := bcc.NewClient(AK, SK, ENDPOINT)
5 // Configure the HTTP request header Host for signing
6headersToSign := map[string]struct{}{"Host": struct{}{}}
7client.Config.SignOption.HeadersToSign = HeadersToSign
8 // Configure the validity period of the signature to 30 seconds
9client.Config.SignOption.ExpireSeconds = 30

Parameter description

When using the GO SDK to access regular security group, the Config field of the created Sg client object supports the following parameters, as shown in the table below:

ConfigMap name	Types	Meaning
Endpoint	string	Domain name for service requests
ProxyUrl	string	The proxy address for client requests
Region	string	Region for resource requests
UserAgent	string	User name, HTTP request’s User-Agent header
Credentials	*auth.BceCredentials	Authentication object for requests, divided into regular AK/SK and STS
SignOption	*auth.SignOptions	Options for authentication string signing
Retry	RetryPolicy	Retry policy for connections
ConnectionTimeoutInMillis	int	Connection timeout, in milliseconds, defaulting to 20 minutes

Description:

The Credentials is created using the auth.NewBceCredentials and auth.NewSessionBceCredentials functions. The former is used by default, while the latter is used for STS certification. For details, refer to Create Sg Client with STS.
The SignOption field represents options when generating a signature string, as detailed in the table below:

Name	Types	Meaning
HeadersToSign	map[string]struct{}	HTTP headers used when generating the signature string
Timestamp	int64	Timestamp used in the generated signature string, defaulting to the value at the time of sending request
ExpireSeconds	int	Validity period of the signature string

Plain Text

1 Among configuration options, HeadersToSign defaults to `Host`, `Content-Type`, `Content-Length` and `Content-MD5`; TimeStamp is typically set to zero, indicating that the timestamp at the time of generating the certification string shall be used, and users generally shall not explicitly specify the value for this field; ExpireSeconds defaults to 1,800 seconds or 30 minutes.

The Retry field specifies the retry policy, currently supporting two types: NoRetryPolicy and BackOffRetryPolicy. By default, the latter is used. This retry policy specifies the maximum number of retries, the maximum retry duration, and the retry base. Retries increase exponentially based on the retry base multiplied by 2 until the maximum number of retries or the maximum retry duration is reached.