About API Access Rules
API access rules allow you to secure your account by defining its access to the APIs.
You can use API access rules to set a second authentication factor for your account. For more information, see Certificate Authorities (CAs) in the API Access Rule Criteria section. |
General Information
API access rules are logical objects that allow you to send requests through the OUTSCALE API and the AWS-compliant APIs from your account.
API access rules are whitelist-based. You can only send requests from specific IP ranges and if you are in possession of certificates validated by Certificate Authorities (CAs) that are defined in the API access rules of your account. For more information, see API Access Rule Criteria.
|
Scope
API access rules apply to all API-based requests on the OUTSCALE Cloud, including:
-
Web interfaces such as Cockpit and OUTSCALE Marketplace
-
CLIs such as OSC CLI or AWS CLI
-
Cloud tools such as Terraform
-
Scripts
API access rules are currently not compatible with the OUTSCALE Object Storage (OOS) service. This means that API-based requests to OOS are always allowed from your account. |
Default Rules
By default, in all Regions except cloudgouv-eu-west-1, each account has the following API access rule:
-
Global access is allowed (0.0.0.0/0).
Note that there is no need for a rule that is specific to Cockpit v2, because Cockpit v2 is a client-side application which relies on your own IP.
In the cloudgouv-eu-west-1 Region, accounts have no default API access rules. You therefore need to create API access rules for all the IPs that need to access the API, either on account creation or by using the CreateApiAccessRule method. For more information, see Managing API Access Rules. |
You can delete those rules using the DeleteApiAccessRule method. To retrieve their IDs, filter the following descriptions:
-
Allows all IPv4 domain
-
Allows Outscale Cockpit of this region
You cannot delete the last remaining API access rule of your account. If you cannot access the APIs through the API access rules in place, you need to contact the Support team to regain access. For more information, see Technical Support. |
API Access Rule Criteria
An API access rule is composed of one or more criteria. For each criterion, you can specify one or more values. The following criteria are available:
-
IPs: You can allow the access to IP ranges in CIDR notation. To define a specific IP, you can use the prefix
/32
. -
Certificate Authorities (CAs): You can allow the access to X.509 certificates that are validated by CAs you have previously registered.
-
Common Names (CNs): You can allow access to CNs of the CAs you have provided.
For security reasons, API access rules cannot be based on CNs alone. CNs have to be paired with CAs.
To further increase the security of your account, we recommend diversifying your authentication factors. By default, certificates and credentials act as knowledge factors. Certificates can act as possession factors when stored on physical devices such as smart cards. |
Accessing the APIs
To access the APIs, it is necessary to validate one rule whether one or more rules are defined. The defined rules have no priority order. In order to validate an API access rule, you must comply with all of its criteria. For a criterion, you only need to comply with one of its specified values.
To increase the security of your account, we recommend combining criteria in a single rule rather than having several rules with fewer criteria. |
The following table presents examples of API access rules combining criteria with one or more values and the resulting accesses:
Criteria | Access allowed or denied |
---|---|
|
Requests from IPs included in the defined IP range can validate this rule.
|
|
Requests from IPs included in the defined IP range and in possession of a certificate validated by one of the defined CAs can validate this rule.
|
|
|
Related Pages
Corresponding API Methods
AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.