Your API access policy enables you to:
- Require the use of expiration dates for your access keys.
If you use API access rules with Certificate Authorities (CAs), activate a trusted session to simplify the authentication process.
Like API access rules, a trusted session applies to all APIs as well as the interfaces and tools based on them, with the exception of the OUTSCALE Object Storage (OOS) and Object Storage Unit (OSU) APIs.
Maximum Possible Lifetime for Access Keys
By default, your access keys have infinite lifetimes and thus do not need to be renewed. To create access keys that must be renewed after a certain expiration date, you can use the CreateAccessKey method.
You can use your API access policy to make the use of expiration dates mandatory, therefore increasing the security of your account. The UpdateApiAccessPolicy method enables you to define a maximum possible lifetime that will apply to all your access keys. In that case, each of your access keys must imperatively have an expiration date, and none of the lifetimes can exceed the value of the maximum possible lifetime.
If you have defined Certificate Authorities (CAs) in your API access rules, you must systematically provide a certificate in each of your requests to OUTSCALE services. For more information about CAs and certificates, see About API Access Rules.
In that situation, however, you can use your API access policy to activate a trusted session. A trusted session enables you to bypass the requirement of systematically providing a certificate. Instead, you only provide the certificate when activating the trusted session itself.
To activate a trusted session, you must meet the following requirements:
- All your access keys must have expiration dates.
- All your API access rules must specify a CA.
Scope of a Trusted Session
For security reasons, certain API methods are excluded from the scope of a trusted session. The table below presents the authentication factors required to perform actions:
|Actions||Required authentication with trusted session deactivated||Required authentication with trusted session activated|
All methods except those managing:
In addition to the above, a few methods are public methods that do not require authentication. These are marked by a green banner in the OUTSCALE API documentation.
Managing Your API Access Policy
You can manage your API access policy using the following methods of the OUTSCALE API (examples of OSC CLI commands included):