About Your API Access Policy

Your API access policy provides you with additional security options to simplify, in some use cases, the authentication to the OUTSCALE services.

General Information

Your API access policy enables you to:

  • Require the use of expiration dates for your access keys.

  • Activate a trusted session to make multi-factor authentication (MFA) mandatory in Cockpit v2.

  • If you use API access rules with Certificate Authorities (CAs), activate a trusted session to simplify the authentication process.

    Like API access rules, a trusted session applies to all APIs as well as the interfaces and tools based on them, with the exception of the OUTSCALE Object Storage (OOS) API.

Maximum Possible Lifetime for Access Keys

By default, your access keys have infinite lifetimes and thus do not need to be renewed. To set the expiration date of an access key, see Creating an Access Key or Modifying an Access Key.

You can use your API access policy to make the use of expiration dates mandatory, therefore increasing the security of your account. For more information, see Managing Your API Access Policy.

Trusted Session

If you have defined Certificate Authorities (CAs) in your API access rules, you must systematically provide a certificate in each of your requests to OUTSCALE services. For more information about CAs and certificates, see About API Access Rules.

In that situation, however, you can use your API access policy to activate a trusted session via the RequireTrustedEnv parameter of the UpdateApiAccessPolicy method. A trusted session enables you to bypass the requirement of systematically providing a certificate. Instead, you only provide the certificate when activating the trusted session itself.

When using Cockpit v2 for the first time following the activation of Trusted Env, you must authenticate using the WebAuthn method. If you have not set up this authentication method beforehand, you will have to set it up upon first connection.

After this first connection, if you have also set up a one-time password (OTP), you may use either one of these authentication methods as long as the WebAuthn method is set up. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP.

To activate a trusted session, you must meet the following requirements:

  • All your access keys must have expiration dates.

  • All your API access rules must specify a CA.

For more information, see Activating a Trusted Session.

Scope of a Trusted Session

For security reasons, certain API methods are excluded from the scope of a trusted session. The table below presents the authentication factors required to perform actions:

Actions Required authentication with trusted session deactivated Required authentication with trusted session activated

All methods except those managing:

  • Access keys

  • CAs

  • API access rules

  • The API access policy

  • By access keys (AND certificate if required by API access rules)

  • By access keys

Methods managing:

  • Access keys

  • CAs

  • API access rules

  • The API access policy

  • By access keys (AND certificate if required by API access rules)

or

  • By email/password (AND certificate if required by API access rules)

  • By access keys AND certificate

or

  • By email/password AND certificate

In addition to the above, a few methods are public methods that do not require authentication. These are marked by a green banner in the OUTSCALE API documentation.

Related Pages

Corresponding API Methods