By default, API keys have access to all endpoints and can view all connected cloud accounts and associated data. API key permissions allow you to control specific endpoints and provide granular control for the key. The use of permissions is highly recommended to reduce the scope of the key's access.

General permissions

  1. Sign into the Aqua console and choose Account Management from the mega menu.
  2. Select API Keys from the Settings drop-down at the bottom of the page.
  3. Locate the API key you wish to modify.
  4. On the right side of the table, click the drop-down menu and select Edit.

5. In the Edit API Key popup, adjust the key permissions by enabling or disabling the toggles under Global Permissions and Granular Permissions.

Additional restrictions

IP address restriction

Fill in the IP address(s) that you would like to restrict in the IP addresses field that ensures additional security. If this field is left empty, all IP addresses are allowed without any restriction. Make sure to enforce the IP restriction in all API calls.

Group restriction

The API keys can be limited to specific groups of cloud accounts. To limit an API key to a particular group, select the desired group from the list in the Edit API Key window. This allows the API key to access resources only in that group and the key is no longer considered an account admin. If this field is left empty, all groups are allowed without any restriction.

If a group is unselected, it removes the group-specific restrictions on that API key and converts the key back to an account admin. To remove a group, click the in its box.


Only an account admin can add or remove group restrictions to an API key.