About API Access Rules

API access rules allow you to secure your account by defining its access to the APIs.

You can use API access rules to set a second authentication factor for your account. For more information, see Certificate Authorities (CAs) in the API Access Rule Criteria section.

General Information

API access rules are logical objects that allow you to send requests through the OUTSCALE API and the AWS-compliant APIs from your account.

API access rules are whitelist-based. You can only send requests from specific IP ranges and if you are in possession of certificates validated by Certificate Authorities (CAs) that are defined in the API access rules of your account. For more information, see API Access Rule Criteria.

  • You can use your API access policy to simplify the use of certificates to authenticate. For more information, see About Your API Access Policy.

  • API access rules do not apply to API requests that can be sent without authentication.

Scope

API access rules apply to all API-based requests on the OUTSCALE Cloud, including:

  • Web interfaces such as Cockpit and OUTSCALE Marketplace

  • CLIs such as OSC CLI or AWS CLI

  • Cloud tools such as Terraform

  • Scripts

API access rules are currently not compatible with the OUTSCALE Object Storage (OOS) service. This means that API-based requests to OOS are always allowed from your account.

Default Rules

By default, in all Regions except cloudgouv-eu-west-1, each account has the following API access rule:

  1. Global access is allowed (0.0.0.0/0).

Note that there is no need for a rule that is specific to Cockpit v2, because Cockpit v2 is a client-side application which relies on your own IP.

In the cloudgouv-eu-west-1 Region, accounts have no default API access rules. You therefore need to create API access rules for all the IPs that need to access the API, either on account creation or by using the CreateApiAccessRule method. For more information, see Managing API Access Rules.

You can delete those rules using the DeleteApiAccessRule method. To retrieve their IDs, filter the following descriptions:

  1. Allows all IPv4 domain

  2. Allows Outscale Cockpit of this region

You cannot delete the last remaining API access rule of your account.

If you cannot access the APIs through the API access rules in place, you need to contact the Support team to regain access. For more information, see Technical Support.

API Access Rule Criteria

An API access rule is composed of one or more criteria. For each criterion, you can specify one or more values. The following criteria are available:

  • IPs: You can allow the access to IP ranges in CIDR notation. To define a specific IP, you can use the prefix /32.

  • Certificate Authorities (CAs): You can allow the access to X.509 certificates that are validated by CAs you have previously registered.

  • Common Names (CNs): You can allow access to CNs of the CAs you have provided.

    For security reasons, API access rules cannot be based on CNs alone. CNs have to be paired with CAs.

To further increase the security of your account, we recommend diversifying your authentication factors. By default, certificates and credentials act as knowledge factors. Certificates can act as possession factors when stored on physical devices such as smart cards.

Accessing the APIs

To access the APIs, it is necessary to validate one rule whether one or more rules are defined. The defined rules have no priority order. In order to validate an API access rule, you must comply with all of its criteria. For a criterion, you only need to comply with one of its specified values.

To increase the security of your account, we recommend combining criteria in a single rule rather than having several rules with fewer criteria.

The following table presents examples of API access rules combining criteria with one or more values and the resulting accesses:

Criteria Access allowed or denied
  • IPs: [92.152.49.218/32, 92.152.49.220/30]

  • No defined CAs

  • No defined CNs

Requests from IPs included in the defined IP range can validate this rule.

  • Requests from the 92.152.49.218 IP are allowed.

  • Requests from the 92.152.49.219 IP are denied.

  • Requests from the 92.152.49.221 IP are allowed.

  • Requests from the 92.152.49.221 IP and with a certificate validated by the ca-abcde CA are allowed.

  • Requests from the 92.152.49.224 IP and with a certificate validated by the ca-abcde CA are denied.

  • IPs: [92.152.49.218/32, 92.152.49.220/30]

  • CAs: [ca-abcde, ca-edcab]

  • No defined CNs

Requests from IPs included in the defined IP range and in possession of a certificate validated by one of the defined CAs can validate this rule.

  • Requests from the 92.152.49.218 IP and with no CA are denied.

  • Requests from the 92.152.49.224 IP and with a certificate validated by the ca-abcde CA are denied.

  • Requests from the 92.152.49.222 IP and with no CA are denied.

  • Requests from the 92.152.49.218 IP and with a certificate validated by the ca-abcde CA are allowed.

  • Requests from the 92.152.49.221 IP and with a certificate validated by the ca-edcab CA are allowed.

  • Requests from the 92.152.49.224 IP and with a certificate validated by the ca-ebcda CA are denied.

  • IPs: [92.152.49.220/32]

  • CAs: [ca-abcde]

  • CN: ["example.com"]

  • Only requests from the 92.152.49.220 IP, with a certificate validated by the ca-abcde CA and with the "example.com" CN can validate this rule.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.