Each Aqua API key can be used to access all endpoints for the account. Permissions allow you to control the specific endpoints and provide granular control for the key.


By default, API keys have access to all endpoints and can view all connected cloud accounts and associated data. Permissions are highly recommended to reduce the scope of the key's access.


TABLE OF CONTENTS


General Permissions

  1. Sign in to the Aqua console and choose CSPM from the mega menu.
  2. Select API Keys from the Account Management drop-down at the bottom of the page.


If you are on the Enterprise plan, navigate to CSPM > Settings > API Keys.


3. Locate the API key you wish to modify.

4. On the right side of the table, click the drop-down menu and select Edit.

5. In the Edit API Key popup, adjust the key permissions by enabling or disabling the toggles under Global Permissions and Granular Permissions.

Additional Restrictions

IP Address Restriction

Fill in the IP address(s) that you would like to restrict in the IP addresses field that ensures additional security. If this field is left empty, all IP addresses are allowed without any restriction. Make sure to enforce the IP restriction in all API calls.

Group Restriction

The API keys can be limited to specific groups of cloud accounts. To limit an API key to a particular group, select the desired group from the list in the Edit API Key window. This allows the API key to access resources only in that group and the key is no longer considered an account admin. If this field is left empty, all groups are allowed without any restriction.

If a group is unselected, it removes the group-specific restrictions on that API key and converts the key back to an account admin. To remove a group, click on the mark.




Only the account admin can add or remove group restrictions to an API key. In future, the provision to add multiple groups (more than one) to an API key will be added.