Your API access policy provides you with additional security options to simplify, in some use cases, the authentication to the OUTSCALE services.

The following topics are discussed: 

General Information

Your API access policy enables you to:

  • Require the use of expiration dates for your access keys.
  • If you use API access rules with Certificate Authorities (CAs), activate a trusted session to simplify the authentication process.

    Like API access rules, a trusted session applies to all APIs as well as the interfaces and tools based on them, with the exception of the OUTSCALE Object Storage (OOS) and Object Storage Unit (OSU) APIs.

Maximum Possible Lifetime for Access Keys

By default, your access keys have infinite lifetimes and thus do not need to be renewed. To create access keys that must be renewed after a certain expiration date, you can use the CreateAccessKey method.

You can use your API access policy to make the use of expiration dates mandatory, therefore increasing the security of your account. The UpdateApiAccessPolicy method enables you to define a maximum possible lifetime that will apply to all your access keys. In that case, each of your access keys must imperatively have an expiration date, and none of the lifetimes can exceed the value of the maximum possible lifetime.

The limit allowed for the maximum possible lifetime is 3153600000 seconds (100 years).

Trusted Session

If you have defined Certificate Authorities (CAs) in your API access rules, you must systematically provide a certificate in each of your requests to OUTSCALE services. For more information about CAs and certificates, see About API Access Rules.

In that situation, however, you can use your API access policy to activate a trusted session. A trusted session enables you to bypass the requirement of systematically providing a certificate. Instead, you only provide the certificate when activating the trusted session itself.

To activate a trusted session, you must meet the following requirements:

  • All your access keys must have expiration dates.
  • All your API access rules must specify a CA.


Scope of a Trusted Session

For security reasons, certain API methods are excluded from the scope of a trusted session. The table below presents the authentication factors required to perform actions:

ActionsRequired authentication with trusted session deactivatedRequired authentication with trusted session activated

All methods except those managing:

  • Access keys
  • CAs
  • API access rules
  • The API access policy
  • By access keys (AND certificate if required by API access rules)
  • By access keys

Methods managing:

  • Access keys
  • CAs
  • API access rules
  • The API access policy
  • By access keys (AND certificate if required by API access rules)

or

  • By email/password (AND certificate if required by API access rules)
  • By access keys AND certificate

or

  • By email/password AND certificate

In addition to the above, a few methods are public methods that do not require authentication. These are marked by a green banner in the OUTSCALE API documentation.


Managing Your API Access Policy

You can manage your API access policy using the following methods of the OUTSCALE API (examples of OSC CLI commands included):