OVHcloud

Configuring OVHcloud integration

Tidal Control's OVHcloud integration monitors your account's security configuration for compliance purposes. It uses an OAuth2 service account (client credentials flow) to authenticate against the OVHcloud v1 and v2 APIs.

What this integration monitors:

IAM users (sub-users): Account identity inventory
IAM groups: Group membership
IAM policies: Access policy configuration
Legacy API applications and credentials: Older API access
OAuth2 service accounts: Service-account inventory
Public Cloud projects: Project inventory
Cloud project users: Per-project users
SSH keys: Cloud SSH credential inventory
Cloud instances: Compute inventory
Managed databases: Database services
KMS resources: Key Management Service inventory

Requirements:

Super User role in Tidal Control
OVHcloud account with access to the API console and IAM
The EU endpoint (https://api.eu.ovhcloud.com) — the only region supported at this time

Info

Security groups are not included. OVHcloud security groups are only available through the OpenStack API, not the OVHcloud REST API, so the connector does not monitor them.

Configuration step-by-step plan

What we're going to do: We'll create an OAuth2 service account, copy its identity URN, create an IAM policy granting read-only access, then add the connection in Tidal Control.

Configuration steps:

Create an OAuth2 client (service account)
Copy the service account's identity URN
Create an IAM policy
Configure the integration in Tidal Control

Step 1: Create an OAuth2 client (service account)

In the OVHcloud Manager API console, execute:

POST /me/api/oauth2/client
{
  "callbackUrls": [],
  "flow": "CLIENT_CREDENTIALS",
  "name": "tidal-control",
  "description": "Tidal Control security compliance connector"
}

Save the returned clientId and clientSecret.

Alternatively, go to Account & Billing → My Account → My identities → Service accounts → Create.

Warning

Save the client secret immediately. The clientSecret is shown only once. If you lose it, create a new OAuth2 client.

Step 2: Copy the service account's identity URN

After creating the client, call:

GET /me/api/oauth2/client/{clientId}

Copy the identity field — it looks like:

urn:v1:eu:identity:credentialOAuth2:{nicHandle}/EU.xxxxxxxxxxxxxxxx

Your nicHandle is shown in the top-right menu of the OVHcloud Manager (e.g. hw53544-ovh).

Step 3: Create an IAM policy

Create a read-only IAM policy for the service account. You can do this in IAM → Policies → Create a policy in the Manager, or via the API.

Warning

Use explicit resource URNs — not a wildcard. Using urn:v1:eu:resource:*:* fails with an error such as "a policy can't target subusers of another account", because the wildcard expands to resources from every account linked to the root account. List each resource explicitly instead.

Resources — add one entry per resource type you have:

Resource type	URN format
Account (for `me/` and `iam/` endpoints)	`urn:v1:eu:resource:account:{nicHandle}`
Cloud project (one per project)	`urn:v1:eu:resource:publicCloudProject:{projectId}`
KMS (one per resource)	`urn:v1:eu:resource:okms:{kmsId}`

Allowed actions — grant exactly these read actions. Note that cloud-project actions use the publicCloudProject:apiovh: prefix, not account:apiovh:cloud/project/:

Purpose	Action
IAM sub-users	`account:apiovh:me/identity/user/get`
IAM groups	`account:apiovh:me/identity/group/get`
Legacy API applications	`account:apiovh:me/api/application/get`
Legacy API credentials	`account:apiovh:me/api/credential/get`
Service accounts (OAuth2 clients)	`account:apiovh:me/api/oauth2/client/get`
IAM policies	`account:apiovh:iam/policy/get`
Public Cloud projects	`publicCloudProject:apiovh:get`
Cloud project users	`publicCloudProject:apiovh:user/get`
SSH keys	`publicCloudProject:apiovh:sshkey/get`
Cloud instances	`publicCloudProject:apiovh:instance/get`
Managed databases	`publicCloudProject:apiovh:database/service/get`
KMS resources	`okms:apiovh:resource/get`

Creating the policy via the API:

# First get a token
TOKEN=$(curl -s -X POST https://www.ovh.com/auth/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  -d "grant_type=client_credentials&scope=all" | jq -r '.access_token')

# Create the IAM policy
curl -s -X POST https://api.eu.ovhcloud.com/v2/iam/policy \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "tidal-control",
    "description": "Tidal Control read-only access",
    "identities": ["urn:v1:eu:identity:credentialOAuth2:{nicHandle}/EU.xxxxxxxxxxxxxxxx"],
    "resources": [
      "urn:v1:eu:resource:account:{nicHandle}",
      "urn:v1:eu:resource:publicCloudProject:{projectId}",
      "urn:v1:eu:resource:okms:{kmsId}"
    ],
    "permissions": {
      "allow": [
        {"action": "account:apiovh:me/identity/user/get"},
        {"action": "account:apiovh:me/identity/group/get"},
        {"action": "account:apiovh:me/api/application/get"},
        {"action": "account:apiovh:me/api/credential/get"},
        {"action": "account:apiovh:me/api/oauth2/client/get"},
        {"action": "account:apiovh:iam/policy/get"},
        {"action": "publicCloudProject:apiovh:get"},
        {"action": "publicCloudProject:apiovh:user/get"},
        {"action": "publicCloudProject:apiovh:sshkey/get"},
        {"action": "publicCloudProject:apiovh:instance/get"},
        {"action": "publicCloudProject:apiovh:database/service/get"},
        {"action": "okms:apiovh:resource/get"}
      ]
    }
  }'

Replace {nicHandle}, {projectId}, {kmsId} and the identity URN with your actual values. Add one resources entry per cloud project and per KMS resource.

Step 4: Configure the integration in Tidal Control

Go to Settings → Integrations in Tidal Control
Click the plus icon next to OVHcloud
Fill in the configuration:
- Name: A descriptive name, e.g. OVHcloud
- Client ID: The clientId from step 1 (e.g. EU.xxxxxxxxxxxxxxxx)
- Client Secret: The clientSecret from step 1
Click "Create" to save the integration

Configuration fields explained

Name:

A descriptive name for this connection
For example: OVHcloud, OVHcloud Production

Client ID:

The clientId of the OAuth2 service account created in step 1
For example: EU.xxxxxxxxxxxxxxxx

Client Secret:

The clientSecret of the OAuth2 service account
Shown only once at creation — keep it secure

Info

How authentication works. The connector requests a token from https://www.ovh.com/auth/oauth2/token using HTTP Basic auth (Authorization: Basic base64(clientId:clientSecret)) with grant_type=client_credentials&scope=all, then calls the EU API base https://api.eu.ovhcloud.com.

Verification

Check integration status:

Settings → Integrations shows "Connected" status for OVHcloud
OVHcloud tests are available in the Tests section
Test refresh delivers results without authentication errors

Finding additional action names

If more OVHcloud endpoints need to be covered in the future, the full list of IAM action names can be retrieved from the IAM reference API:

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.eu.ovhcloud.com/v2/iam/reference/action?resourceType=publicCloudProject" \
  | jq '.[].action'

Use resourceType=account for me/* endpoints and resourceType=okms for KMS.

Common problems

"invalid identity ... a policy can't target subusers of another account"

You used the wildcard resource urn:v1:eu:resource:*:*
Replace it with explicit resource URNs (see step 3)

"unknown action" errors

A cloud-project action used the wrong prefix
Cloud-project actions must use publicCloudProject:apiovh: (e.g. publicCloudProject:apiovh:instance/get), not account:apiovh:cloud/project/...

Authentication fails

Confirm the Client ID and Client Secret are correct and the OAuth2 client uses the CLIENT_CREDENTIALS flow
Confirm you are using the EU account (https://api.eu.ovhcloud.com)

Tests show no data for certain resource types

Confirm the IAM policy includes the matching action and an explicit resource URN for that resource

Still can't figure it out?

Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.

Info

Gather support info: Note which browser you're using, exact error messages, and which steps you've already tried. This speeds up the solution considerably.