When setting up your automation tools to leverage the OUTSCALE Cloud, you will face a decision: "Should I let my Access and Secret Key out there?" The short answer is: No.

You might need a "Master" instance that controls the state of your instances, and decides to start, reboot or shutdown any other instance. This topic does not explain how to setup a command center, but how to manage access through our Elastic Identity Management (EIM) service.


In this example, we use a common use case where you need to monitor the state of your instances. The goal is to create an EIM profile with its own access keys for your automation tool, that enables it to only perform the required actions.

In this example, we will:

  1. Create a group of users.
  2. Create the adequate policy for this group.
  3. Create a user.
  4. Generate a pair of access key and secret key, that will be set for the instance and the program that will interact with our APIs to manage your infrastructure.


Use your EIM connector (CLI, Boto). In this example, we use boto2.

Create your group

>> outscale_eim.create_group('monitoring')

{u'create_group_response': {u'response_metadata': {u'request_id': u'6cc10aae-69fe-41f2-9c0a-540d3024f1e1'}, u'create_group_result': {u'group': {u'path': u'/', u'group_id': u'T9UIPLKTDAHJI0WBI55O1XSZR90XHVR', u'create_date': u'2017-02-08T14:11:46.463Z', u'arn': u'arn:aws:iam::209064296596:group/monitoring', u'group_name': u'monitoring'}}}}

Create an EIM policy document

In this example, the policy document allows Describe calls in FCU and LBU services:

>> policy_monitor = {"Statement": [{"Action": ["ec2:Describe*", "elasticloadbalancing:Describe*"], "Effect": "Allow", "Resource": ["*"]}]}
>> outscale_eim.create_policy('monitoring', json.dumps(policy_monitor), '/', 'Allow describe for every item')

{u'create_policy_response': {u'create_policy_result': {u'policy': {u'update_date': u'2017-02-08T14:28:09.565Z', u'create_date': u'2017-02-08T14:28:09.565Z', u'is_attachable': u'true', u'policy_name': u'monitoring', u'default_version_id': u'v1', u'attachment_count': u'0', u'path': u'/', u'arn': u'arn:aws:iam::209064296596:policy/monitoring', u'policy_id': u'2LDQ6L9JTIHUM2JFTT11T85NNNC6BSI'}}, u'response_metadata': {u'request_id': u'269c7cd1-ff75-45c0-afe3-9f76f5bdb693'}}}

Attach the policy to the group

>> outscale_eim.attach_group_policy('arn:aws:iam::209064296596:policy/monitoring', 'monitoring')

{u'attach_group_policy_response': {u'response_metadata': {u'request_id': u'f8b26057-dc3b-435e-b73d-85e5ef07b08d'}}}

Create your user

>> outscale_eim.create_user('watcher_1')

{u'create_user_response': {u'create_user_result': {u'user': {u'path': u'/', u'create_date': u'2017-02-08T14:29:16.213Z', u'user_name': u'watcher_1', u'arn': u'arn:aws:iam::209064296596:user/watcher_1', u'user_id': u'QAMRA41689OVGBITFKNCUS7VTUS7JKE'}}, u'response_metadata': {u'request_id': u'bef67fbf-7303-421c-a570-8765a424883a'}}}

Add your user to the group

>> outscale_eim.add_user_to_group('monitoring', 'watcher_1')

{u'add_user_to_group_response': {u'response_metadata': {u'request_id': u'b7c5e54d-113a-4c63-ac86-3dbb8066c1c8'}}}

Generate access keys for your user

>> outscale_eim.create_access_key('watcher_1')

{u'create_access_key_response': {u'create_access_key_result': {u'access_key': {u'status': u'Active', u'secret_access_key': u'68LYVK40JWRRUUZ1JNTB2EBRNSCH1QE8NXGPAHIM', u'create_date': u'2017-02-08T14:34:13.119Z', u'user_name': u'orn:ows:idauth::209064296596:user/watcher_1', u'access_key_id': u'CM3UAWFMD2WRN4XEAU01'}}, u'response_metadata': {u'request_id': u'ad7b8a9d-34a6-4436-b2c9-a1abd0ab455a'}}}

You now have a set of access key and secret key that can be used by your script to check the state of your infrastructure. We recommend to use these access keys for this purpose only.

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.