API access rules are logical objects that allow you to send requests through the OUTSCALE API and the AWS-compliant APIs from your OUTSCALE account.
API access rules do not apply to API requests that can be sent without authentication.
API access rules are whitelist-based. You can only send requests from IP ranges and with certificates validated by Certificate Authorities (CAs) that are defined in the API access rules of your OUTSCALE account. For more information, see API Access Rule Criteria.
API access rules apply to all API-based requests on the OUTSCALE Cloud, including:
- web interfaces such as Cockpit
- CLIs such as OSC CLI or AWS CLI
- Cloud tools such as Terraform
API access rules are currently not compatible with the OUTSCALE Object Storage (OOS) and Object Storage Unit (OSU) services. This means that API-based requests to OOS and OSU are always allowed from your account.
By default, each OUTSCALE account has the following API access rules:
- Global access is allowed (0.0.0.0/0).
- Access from the web interface Cockpit of the account Region is allowed.
You can delete those rules. To retrieve their IDs, filter the following descriptions:
Allows all IPv4 domain
Allows Outscale Cockpit of this region
API Access Rule Criteria
You can allow access to the APIs based on one or more criteria. For each criterion, you can specify one or more items.
API access rule criteria are cumulative for a single API access rule. One of the listed items for each criterion must be valid in order to verify the API access rule.
The following criteria are available:
- IP addresses: You can allow the access to IP ranges in CIDR notation. For a specific IP address, use the suffix
Certificate Authorities (CAs): You can allow the access to X.509 certificates that are validated by CAs you have previously registered.
Common Names (CNs): You can allow access to only some CNs of the CAs you have provided.For security reasons, API access rules cannot be based on CNs alone, they have to be paired with CAs.
Managing API Access Rules
You can manage API access rules using the following methods of the OUTSCALE API (examples of OSC CLI commands included):
You cannot delete the last remaining API access rule of your account.
If you cannot access the APIs through the API access rules in place, you need to contact the Support team to regain access. For more information, see Technical Support.