Managing Your API Access Policy

Retrieved from https://docs.outscale.com/en/userguide/Managing-Your-API-Access-Policy.html (2025-03-27T11:39:48.314Z)

You can manage the API access policy of your account to define a maximum possible lifetime that will apply to all your access keys. In that case, each of your access keys must imperatively have an expiration date, and none of the lifetimes can exceed the value of the maximum possible lifetime.

The limit allowed for the maximum possible lifetime is 3153600000 seconds (100 years).

Managing Your API Access Policy Using OSC CLI

Getting Information About Your API Access Policy

The ReadApiAccessPolicy command gets information about the API access policy of your account.

For more information, see About Your API Access Policy.

Request sample: Example with access key/secret key authentication
osc-cli api ReadApiAccessPolicy --profile "default"
shell
Request sample: Example with login/password authentication
osc-cli api ReadApiAccessPolicy --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD"
shell

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

The ReadApiAccessPolicy command returns the following elements:

  • ApiAccessPolicy: Information about the API access policy.

    • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds. If 0, your access keys can have unlimited lifetimes.

    • RequireTrustedEnv: If true, a trusted session is activated, allowing you to bypass Certificate Authorities (CAs) enforcement. For more information, see About Your API Access Policy.
      If this is enabled, it is required that you and all your users log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 0
  }
}
json

Modifying Your API Access Policy

The UpdateApiAccessPolicy command updates the API access policy of your account.

Only one API access policy can be associated with your account.
Request sample: Require expiration dates of maximum 1 year
osc-cli api UpdateApiAccessPolicy --profile "default" \
    --MaxAccessKeyExpirationSeconds 31536000 \
    --RequireTrustedEnv False
shell
Request sample: Require expiration dates of maximum 100 years and activate a trusted session
osc-cli api UpdateApiAccessPolicy --profile "default" \
    --MaxAccessKeyExpirationSeconds 3153600000 \
    --RequireTrustedEnv True
shell
Request sample: Do not require expiration dates and deactivate a trusted session
osc-cli api UpdateApiAccessPolicy --profile "default" \
    --MaxAccessKeyExpirationSeconds 0 \
    --RequireTrustedEnv False
shell
Request sample: Example with login/password authentication
osc-cli api UpdateApiAccessPolicy --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" \
    --MaxAccessKeyExpirationSeconds 0 \
    --RequireTrustedEnv False
shell

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds (between 0 and 3153600000, both included). If set to O, your access keys can have unlimited lifetimes, but a trusted session cannot be activated. Otherwise, all your access keys must have an expiration date. This value must be greater than the remaining lifetime of each access key of your account.

  • RequireTrustedEnv: If true, a trusted session is activated, provided that you specify the MaxAccessKeyExpirationSeconds parameter with a value greater than 0.
    Enabling this will require you and all your users to log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

The UpdateApiAccessPolicy command returns the following elements:

  • ApiAccessPolicy: Information about the API access policy.

    • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds. If 0, your access keys can have unlimited lifetimes.

    • RequireTrustedEnv: If true, a trusted session is activated, allowing you to bypass Certificate Authorities (CAs) enforcement. For more information, see About Your API Access Policy.
      If this is enabled, it is required that you and all your users log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample: Require expiration dates of maximum 1 year
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 31536000
  }
}
json
Result sample: Require expiration dates of maximum 100 years and activate a trusted session
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": true,
    "MaxAccessKeyExpirationSeconds": 3153600000
  }
}
json
Result sample: Do not require expiration dates and deactivate a trusted session
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 0
  }
}
json

Managing Your API Access Policy Using oapi-cli

Getting Information About Your API Access Policy

The ReadApiAccessPolicy command gets information about the API access policy of your account.

For more information, see About Your API Access Policy.

Request sample: Example with access key/secret key authentication
oapi-cli --profile "default" ReadApiAccessPolicy
shell
Request sample: Example with login/password authentication
oapi-cli --profile "default" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" ReadApiAccessPolicy
shell

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

The ReadApiAccessPolicy command returns the following elements:

  • ApiAccessPolicy: Information about the API access policy.

    • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds. If 0, your access keys can have unlimited lifetimes.

    • RequireTrustedEnv: If true, a trusted session is activated, allowing you to bypass Certificate Authorities (CAs) enforcement. For more information, see About Your API Access Policy.
      If this is enabled, it is required that you and all your users log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 0
  }
}
json

Modifying Your API Access Policy

The UpdateApiAccessPolicy command updates the API access policy of your account.

Only one API access policy can be associated with your account.
Request sample: Require expiration dates of maximum 1 year
oapi-cli --profile "default" UpdateApiAccessPolicy \
    --MaxAccessKeyExpirationSeconds 31536000 \
    --RequireTrustedEnv False
shell
Request sample: Require expiration dates of maximum 100 years and activate a trusted session
oapi-cli --profile "default" UpdateApiAccessPolicy \
    --MaxAccessKeyExpirationSeconds 3153600000 \
    --RequireTrustedEnv True
shell
Request sample: Do not require expiration dates and deactivate a trusted session
oapi-cli --profile "default" UpdateApiAccessPolicy \
    --MaxAccessKeyExpirationSeconds 0 \
    --RequireTrustedEnv False
shell
Request sample: Example with login/password authentication
oapi-cli --profile "default" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" UpdateApiAccessPolicy \
    --MaxAccessKeyExpirationSeconds 0 \
    --RequireTrustedEnv False
shell

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds (between 0 and 3153600000, both included). If set to O, your access keys can have unlimited lifetimes, but a trusted session cannot be activated. Otherwise, all your access keys must have an expiration date. This value must be greater than the remaining lifetime of each access key of your account.

  • RequireTrustedEnv: If true, a trusted session is activated, provided that you specify the MaxAccessKeyExpirationSeconds parameter with a value greater than 0.
    Enabling this will require you and all your users to log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

The UpdateApiAccessPolicy command returns the following elements:

  • ApiAccessPolicy: Information about the API access policy.

    • MaxAccessKeyExpirationSeconds: The maximum possible lifetime for your access keys, in seconds. If 0, your access keys can have unlimited lifetimes.

    • RequireTrustedEnv: If true, a trusted session is activated, allowing you to bypass Certificate Authorities (CAs) enforcement. For more information, see About Your API Access Policy.
      If this is enabled, it is required that you and all your users log in to Cockpit v2 using the WebAuthn method for multi-factor authentication. For more information, see About Authentication > Multi-Factor Authentication.

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample: Require expiration dates of maximum 1 year
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 31536000
  }
}
json
Result sample: Require expiration dates of maximum 100 years and activate a trusted session
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": true,
    "MaxAccessKeyExpirationSeconds": 3153600000
  }
}
json
Result sample: Do not require expiration dates and deactivate a trusted session
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "ApiAccessPolicy": {
    "RequireTrustedEnv": false,
    "MaxAccessKeyExpirationSeconds": 0
  }
}
json

Related Page

Corresponding API Methods

Export to PDF