Managing Access for Cloud Automation

Cette page est à ce jour disponible en anglais uniquement.

When setting up your automation tools to leverage the OUTSCALE Cloud, you will face a decision: "Should I let my Access and Secret Key out there?" The short answer is: No.

You might need a "Master" virtual machine (VM) that controls the state of your VMs, and decides to start, reboot, or shutdown any other VM. This topic does not explain how to setup a command center, but how to manage access through our Elastic Identity Management (EIM) service.

Principles

In this example, we use a common use case where you need to monitor the state of your VMs. The goal is to create an EIM user with its own access key for your automation tool, that enables it to only perform the required actions.

In this example, we will:

  1. Create a group of users.

  2. Create the adequate policy for this group.

  3. Create a user.

  4. Generate an access key that will be used for the VM and the program that will interact with our APIs to manage your infrastructure.

Example

In this example:

  • We use the OUTSCALE Python SDK.

  • We use an EIM policy that only allows Read calls in the OUTSCALE API.

import json

from osc_sdk_python import Gateway

gw = Gateway(**{"profile": "default"})


gw.CreateUserGroup(UserGroupName="monitoring")

policy = {
    "Statement": [{"Effect": "Allow", "Action": ["api:Read*"], "Resource": ["*"]}]
}

create_policy_result = gw.CreatePolicy(
    PolicyName="monitoring",
    Description="Allows Read calls",
    Document=json.dumps(policy),
)

gw.LinkManagedPolicyToUserGroup(
    PolicyOrn=create_policy_result["Policy"]["Orn"],
    UserGroupName="monitoring",
)

create_user_result = gw.CreateUser(UserName="watcher_1")

gw.AddUserToUserGroup(
    UserName="watcher_1",
    UserGroupName="monitoring",
)

create_accesskey_result = gw.CreateAccessKey(UserName="watcher_1")

print(create_accesskey_result["AccessKey"])

You now have an access key that can be used by your script to check the state of your infrastructure. We recommend using this access key for this purpose only.

Related Page