API access rules are logical objects that allow you to send requests through the OUTSCALE API and the AWS-compliant APIs from your account.
API access rules are whitelist-based. You can only send requests from specific IP ranges and if you are in possession of certificates validated by Certificate Authorities (CAs) that are defined in the API access rules of your account. For more information, see API Access Rule Criteria.
- You can use your API access policy to simplify the use of certificates to authenticate. For more information, see About Your API Access Policy.
- API access rules do not apply to API requests that can be sent without authentication.
API access rules apply to all API-based requests on the OUTSCALE Cloud, including:
- Web interfaces such as Cockpit
- CLIs such as OSC CLI or AWS CLI
- Cloud tools such as Terraform
API access rules are currently not compatible with the OUTSCALE Object Storage (OOS) and Object Storage Unit (OSU) services. This means that API-based requests to OOS and OSU are always allowed from your account.
By default, each account has the following API access rules:
- Global access is allowed (0.0.0.0/0).
- Access from the web interface Cockpit of the account Region is allowed.
You can delete those rules using the DeleteApiAccessRule method. To retrieve their IDs, filter the following descriptions:
Allows all IPv4 domain
Allows Outscale Cockpit of this region
API Access Rule Criteria
An API access rule is composed of one or more criteria. For each criterion, you can specify one or more values. The following criteria are available:
- IP addresses: You can allow the access to IP ranges in CIDR notation. To define a specific IP address, you can use the suffix
Certificate Authorities (CAs): You can allow the access to X.509 certificates that are validated by CAs you have previously registered.
To further increase the security of your account, we recommend diversifying your authentication factors. By default, certificates and credentials act as knowledge factors. Certificates can act as possession factors when stored on physical devices such as smart cards.
Common Names (CNs): You can allow access to CNs of the CAs you have provided.For security reasons, API access rules cannot be based on CNs alone. CNs have to be paired with CAs.
Accessing the APIs
To access the APIs, it is necessary to validate one rule whether one or more rules are defined. The defined rules have no priority order. In order to validate an API access rule, you must comply with all of its criteria. For a criterion, you only need to comply with one of its specified values.
To increase the security of your account, we recommend combining criteria in a single rule rather than having several rules with fewer criteria.
The following table presents examples of API access rules combining criteria with one or more values and the resulting accesses:
|Criteria||Access allowed or denied|
Requests from IPs included in the defined IP range can validate this rule.
Requests from IPs included in the defined IP range and in possession of a certificate validated by one of the defined CAs can validate this rule.
Managing API Access Rules
You can manage API access rules using the following methods of the OUTSCALE API (examples of OSC CLI commands included):
You cannot delete the last remaining API access rule of your account.
If you cannot access the APIs through the API access rules in place, you need to contact the Support team to regain access. For more information, see Technical Support.