Managing Your API Access Policy

You can manage the API access policy of your account to define a maximum possible lifetime that will apply to all your access keys. In that case, each of your access keys must imperatively have an expiration date, and none of the lifetimes can exceed the value of the maximum possible lifetime.

The limit allowed for the maximum possible lifetime is 3153600000 seconds (100 years).

Managing Your API Access Policy Using OSC CLI

Getting Information About Your API Access Policy

The ReadApiAccessPolicy command gets information about the API access policy of your account.

For more information, see About Your API Access Policy.

Request sample: Example with access key/secret key authentication
$ osc-cli api ReadApiAccessPolicy --profile "default"
Request sample: Example with login/password authentication
$ osc-cli api ReadApiAccessPolicy --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD"

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

The ReadApiAccessPolicy command returns the following elements:

  • ApiAccessPolicy: Information about the API access policy.

  • ResponseContext: Information about the context of the response.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 0
  }
}

Modifying Your API Access Policy

The UpdateApiAccessPolicy command updates the API access policy of your account.

Only one API access policy can be associated with your account.

Request sample: Require expiration dates of maximum 1 year
$ osc-cli api UpdateApiAccessPolicy --profile "default" \
    --MaxAccessKeyExpirationSeconds 31536000 \
    --RequireTrustedEnv False
Request sample: Require expiration dates of maximum 100 years and activate a trusted session
$ osc-cli api UpdateApiAccessPolicy --profile "default" \
    --MaxAccessKeyExpirationSeconds 3153600000 \
    --RequireTrustedEnv True
Request sample: Do not require expiration dates and deactivate a trusted session
$ osc-cli api UpdateApiAccessPolicy --profile "default" \
    --MaxAccessKeyExpirationSeconds 0 \
    --RequireTrustedEnv False
Request sample: Example with login/password authentication
$ osc-cli api UpdateApiAccessPolicy --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" \
    --MaxAccessKeyExpirationSeconds 0 \
    --RequireTrustedEnv False

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds (between 0 and 3153600000, both included). If set to O, your access keys can have unlimited lifetimes, but a trusted session cannot be activated. Otherwise, all your access keys must have an expiration date. This value must be greater than the remaining lifetime of each access key of your account.

  • RequireTrustedEnv: If true, a trusted session is activated, provided that you specify the MaxAccessKeyExpirationSeconds parameter with a value greater than 0.
    Enabling this will require you and all your users to log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

The UpdateApiAccessPolicy command returns the following elements:

  • ApiAccessPolicy: Information about the API access policy.

  • ResponseContext: Information about the context of the response.

Result sample: Require expiration dates of maximum 1 year
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 31536000
  }
}
Result sample: Require expiration dates of maximum 100 years and activate a trusted session
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": true,
    "MaxAccessKeyExpirationSeconds": 3153600000
  }
}
Result sample: Do not require expiration dates and deactivate a trusted session
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 0
  }
}

Related Page

Corresponding API Methods