API access rules allow you to secure your OUTSCALE account by defining its access to the APIs.

You can use API access rules as an additional authentication factor for your OUTSCALE account with Certificate Authorities (CAs).

The following topics are discussed: 

General Information

API access rules are logical objects that allow you to send requests through the OUTSCALE API and the AWS-compliant APIs from your OUTSCALE account.

API access rules do not apply to API requests that can be sent without authentication.

API access rules are whitelist-based. You can only send requests from IP ranges and with certificates validated by Certificate Authorities (CAs) that are defined in the API access rules of your OUTSCALE account. For more information, see API Access Rule Criteria.

Perimeter

API access rules apply to all API-based requests on the OUTSCALE Cloud, including:

  • web interfaces such as Cockpit
  • CLIs such as OSC CLI or AWS CLI
  • Cloud tools such as Terraform
  • scripts

API access rules are currently not compatible with the OUTSCALE Object Storage (OOS) and Object Storage Unit (OSU) services. This means that API-based requests to OOS and OSU are always allowed from your account.


Default Rules

By default, each OUTSCALE account has the following API access rules:

  1. Global access is allowed (0.0.0.0/0).
  2. Access from the web interface Cockpit of the account Region is allowed.

You can delete those rules. To retrieve their IDs, filter the following descriptions:

  1. Allows all IPv4 domain
  2. Allows Outscale Cockpit of this region


Corresponding API Methods

API Access Rule Criteria

You can allow access to the APIs based on one or more criteria. For each criterion, you can specify one or more items.

API access rule criteria are cumulative for a single API access rule. One of the listed items for each criterion must be valid in order to verify the API access rule.


The following criteria are available:

  • IP addresses: You can allow the access to IP ranges in CIDR notation. For a specific IP address, use the suffix /32.
  • Certificate Authorities (CAs): You can allow the access to X.509 certificates that are validated by CAs you have previously registered.

    You can manage CAs using the following methods of the OUTSCALE API (examples of OSC CLI commands included):

  • Common Names (CNs): You can allow access to only some CNs of the CAs you have provided.

    For security reasons, API access rules cannot be based on CNs alone, they have to be paired with CAs.



Managing API Access Rules

You can manage API access rules using the following methods of the OUTSCALE API (examples of OSC CLI commands included):

You cannot delete the last remaining API access rule of your account.

If you cannot access the APIs through the API access rules in place, you need to contact the Support team to regain access. For more information, see Technical Support.



AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.