IAM APIv1alpha1

Introduction

Identity and Access Management (IAM) allows you to share access to the management of your Scaleway resources and Organization settings, in a controlled and secure manner. With IAM, you can invite other users to your Organization, as well as create IAM applications which represent non-human users with their own API keys. You define permissions for users and applications in your Organization via highly customizable policies. Policies let you specify exactly what rights users and applications (or groups of users and applications) should have within your Organization.

Concepts

Refer to our dedicated IAM concepts page to find definitions of the different terms referring to IAM.

Quickstart

Requirements

To perform the following steps, you must first ensure that:

you have an account and are logged into the Scaleway console
you have created an API key and that the API key has sufficient IAM permissions to perform the actions described on this page.
you have installed curl

1. Configure your environment variables.

2. Create an application. Replace the parameter values in the request payload with the details of your new application.

Note: the UUIDs used in the following code examples are not real.

Parameter	Description
`name`	REQUIRED The name of your new application
`organization_id`	The ID of your Scaleway Organization
`description`	The description of your application

3. Retrieve your application ID from the response.

4. Create a policy. Replace the parameter values in the request payload with the details of your new application, including the application ID retrieved in the previous step.

Parameter	Description
`name`	REQUIRED The name of your new application
`description`	The description of your policy
`organization_id`	The ID of your Scaleway Organization
`rules`	The rules of your policy
`permission_set_names`	The permission sets you want to grant. You can either list all permission sets or find a complete list in the permission sets documentation page
`organization_id`	The ID of the Scaleway Organization where you want your permission sets to apply. You can add one as the scope of your policy
`application_id`	The ID of your application

Note: to learn more about IAM policies, refer to our dedicated IAM policies reference page.

5. Create an API key for your application.

Parameter	Description
`application_id`	The ID of your application
`expires_at`	OPTIONAL The expiration date of your API key
`default_project_id`	OPTIONAL The Project ID of your preferred Project, to use with Object Storage. If no Project ID is specified, the default project is used. Refer to the Using API Keys with Object Storage documentation page
`description`	The description of your API key

6. Retrieve your access and secret keys from the response.

Note: The secret key is only showed once. Make sure that you copy and store both keys somewhere safe.

You can now have an IAM configuration fully set up and can begin working on your Scaleway projects.

Limitations

Currently, IAM users cannot be created within Scaleway Organizations, they can only be invited to join them. Refer to the Users, groups and applications reference page to learn more about users.
Access management at ressource level is not yet available. You can currently scope the permission sets to a Project or to an Organization. Refer to the Permission sets reference page to learn more about permission sets.
Explicit deny permissions are not yet available. You can currently only explicitely allow access to different products or Organization management features.

Going Further

For more information about IAM, you can check out the following pages:

SSH Keys

An SSH Key (Secure Shell Key) allows passwordless connection to an Instance. An SSH Key is generated by creating an RSA key pair, consisting of a sensitive identification key, (aka private key) which must be stored securely, and a public key which is uploaded to the Scaleway interface.

The public key is kept in your Scaleway account and transferred to the Instance during the boot process, while the identification key is kept securely on your local computer. When connecting to the Instance via SSH, a trusted connection to the machine is established using the key pair.

List SSH keys

List SSH keys. By default, the SSH keys listed are ordered by creation date in ascending order. This can be modified via the order_by field. You can define additional parameters for your query such as organization_id, name, project_id and disabled.

GET

/iam/v1alpha1/ssh-keys

Query Parameters

order_by

string

Sort order of the SSH keys. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, name_asc and name_desc. The default value is created_at_asc.

page

integer

Requested page number. Value must be greater or equal to 1. The default value is 1.

page_size

integer

Number of items per page. Value must be between 1 and 100. The default value is 20.

organization_id

string

Filter by Organization ID.

name

string

Name of group to find.

project_id

string

Filter by Project ID.

disabled

boolean

Whether to include disabled SSH keys or not.

200 Response

ssh_keys

array

List of SSH keys.

total_count

integer

Total count of SSH keys.

Response Example

Create an SSH key

Add a new SSH key to a Scaleway Project. You must specify the name, public_key and project_id.

POST

/iam/v1alpha1/ssh-keys

Body

name

required string

The name of the SSH key. Max length is 1000.

public_key

required string

SSH public key. Currently only the ssh-rsa, ssh-dss (DSA), ssh-ed25519 and ecdsa keys with NIST curves are supported. Max length is 65000.

project_id

required string

Project the resource is attributed to.

Request Example

200 Response

string

ID of SSH key.

name

string

Name of SSH key.

public_key

string

Public key of SSH key.

fingerprint

string

Fingerprint of the SSH key.

created_at

nullable string

Creation date of SSH key. (RFC 3339 format).

updated_at

nullable string

Last update date of SSH key. (RFC 3339 format).

organization_id

string

ID of Organization linked to the SSH key.

project_id

string

ID of Project linked to the SSH key.

disabled

boolean

SSH key status.

Response Example

Get an SSH key

Retrieve information about a given SSH key, specified by the ssh_key_id parameter. The SSH key's full details, including id, name, public_key, and project_id are returned in the response.

GET

/iam/v1alpha1/ssh-keys/{ssh_key_id}

Path Parameters

ssh_key_id

required string

The ID of the SSH key.

200 Response

string

ID of SSH key.

name

string

Name of SSH key.

public_key

string

Public key of SSH key.

fingerprint

string

Fingerprint of the SSH key.

created_at

nullable string

Creation date of SSH key. (RFC 3339 format).

updated_at

nullable string

Last update date of SSH key. (RFC 3339 format).

organization_id

string

ID of Organization linked to the SSH key.

project_id

string

ID of Project linked to the SSH key.

disabled

boolean

SSH key status.

Response Example

Update an SSH key

Update the parameters of an SSH key, including name and disable.

PATCH

/iam/v1alpha1/ssh-keys/{ssh_key_id}

Path Parameters

ssh_key_id

required string

Body

name

nullable string

Name of the SSH key. Max length is 1000.

disabled

nullable boolean

Enable or disable the SSH key.

Request Example

200 Response

string

ID of SSH key.

name

string

Name of SSH key.

public_key

string

Public key of SSH key.

fingerprint

string

Fingerprint of the SSH key.

created_at

nullable string

Creation date of SSH key. (RFC 3339 format).

updated_at

nullable string

Last update date of SSH key. (RFC 3339 format).

organization_id

string

ID of Organization linked to the SSH key.

project_id

string

ID of Project linked to the SSH key.

disabled

boolean

SSH key status.

Response Example

Delete an SSH key

Delete a given SSH key, specified by the ssh_key_id. Deleting an SSH is permanent, and cannot be undone. Note that you might need to update any configurations that used the SSH key.

DELETE

/iam/v1alpha1/ssh-keys/{ssh_key_id}

Path Parameters

ssh_key_id

required string

204 Response

Empty response

Groups

A group (also known as an IAM group) is a grouping of users and/or applications. Creating groups allows you to attach policies to multiple users and/or applications at the same time.

List groups

List groups. By default, the groups listed are ordered by creation date in ascending order. This can be modified via the order_by field. You can define additional parameters to filter your query. Use user_ids or application_ids to list all groups certain users or applications belong to.

GET

/iam/v1alpha1/groups

Query Parameters

order_by

string

Sort order of groups. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, name_asc and name_desc. The default value is created_at_asc.

page

integer

Requested page number. Value must be greater or equal to 1. The default value is 1.

page_size

integer

Number of items per page. Value must be between 1 and 100. The default value is 20.

organization_id

string

Filter by Organization ID.

name

string

Name of group to find.

application_ids

array

Filter by a list of application IDs.

user_ids

array

Filter by a list of user IDs.

group_ids

array

Filter by a list of group IDs.

200 Response

groups

array

List of groups.

total_count

integer

Total count of groups.

Response Example

Create a group

Create a new group. You must define the name and organization_id parameters in the request.

POST

/iam/v1alpha1/groups

Body

organization_id

required string

ID of Organization linked to the group.

name

required string

Name of the group to create (max length is 64 chars). MUST be unique inside an Organization.

description

string

Description of the group to create (max length is 200 chars).

Request Example

200 Response

string

ID of the group.

created_at

nullable string

Date and time of group creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last group update. (RFC 3339 format).

organization_id

string

ID of Organization linked to the group.

name

string

Name of the group.

description

string

Description of the group.

user_ids

array

IDs of users attached to this group.

application_ids

array

IDs of applications attached to this group.

Response Example

Get a group

Retrive information about a given group, specified by the group_id parameter. The group's full details, including user_ids and application_ids are returned in the response.

GET

/iam/v1alpha1/groups/{group_id}

Path Parameters

group_id

required string

ID of the group.

200 Response

string

ID of the group.

created_at

nullable string

Date and time of group creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last group update. (RFC 3339 format).

organization_id

string

ID of Organization linked to the group.

name

string

Name of the group.

description

string

Description of the group.

user_ids

array

IDs of users attached to this group.

application_ids

array

IDs of applications attached to this group.

Response Example

Update a group

Update the parameters of group, including name and description.

PATCH

/iam/v1alpha1/groups/{group_id}

Path Parameters

group_id

required string

ID of the group to update.

Body

name

nullable string

New name for the group (max length is 64 chars). MUST be unique inside an Organization.

description

nullable string

New description for the group (max length is 200 chars).

Request Example

200 Response

string

ID of the group.

created_at

nullable string

Date and time of group creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last group update. (RFC 3339 format).

organization_id

string

ID of Organization linked to the group.

name

string

Name of the group.

description

string

Description of the group.

user_ids

array

IDs of users attached to this group.

application_ids

array

IDs of applications attached to this group.

Response Example

Delete a group

Delete a group. Note that this action is irreversible and could delete permissions for group members. Policies attached to users and applications via this group will no longer apply.

DELETE

/iam/v1alpha1/groups/{group_id}

Path Parameters

group_id

required string

ID of the group to delete.

204 Response

Empty response

Add a user or an application to a group

Add a user or an application to a group. You can specify a user_id and and application_id in the body of your request. Note that you can only add one of each per request.

POST

/iam/v1alpha1/groups/{group_id}/add-member

Path Parameters

group_id

required string

ID of the group.

Body

user_id

string

ID of the user to add. Only one of user_id and application_id may be set.

application_id

string

ID of the application to add. Only one of user_id and application_id may be set.

Request Example

200 Response

string

ID of the group.

created_at

nullable string

Date and time of group creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last group update. (RFC 3339 format).

organization_id

string

ID of Organization linked to the group.

name

string

Name of the group.

description

string

Description of the group.

user_ids

array

IDs of users attached to this group.

application_ids

array

IDs of applications attached to this group.

Response Example

Overwrite users and applications of a group

Overwrite users and applications configuration in a group. Any information that you add using this command will overwrite the previous configuration.

PUT

/iam/v1alpha1/groups/{group_id}/members

Path Parameters

group_id

required string

Body

user_ids

required array

application_ids

required array

Request Example

200 Response

string

ID of the group.

created_at

nullable string

Date and time of group creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last group update. (RFC 3339 format).

organization_id

string

ID of Organization linked to the group.

name

string

Name of the group.

description

string

Description of the group.

user_ids

array

IDs of users attached to this group.

application_ids

array

IDs of applications attached to this group.

Response Example

Remove a user or an application from a group

Remove a user or an application from a group. You can specify a user_id and and application_id in the body of your request. Note that you can only remove one of each per request. Removing a user from a group means that any permissions given to them via the group (i.e. from an attached policy) will no longer apply. Be sure you want to remove these permissions from the user before proceeding.

POST

/iam/v1alpha1/groups/{group_id}/remove-member

Path Parameters

group_id

required string

ID of the group.

Body

user_id

string

ID of the user to remove. Only one of user_id and application_id may be set.

application_id

string

ID of the application to remove. Only one of user_id and application_id may be set.

Request Example

200 Response

string

ID of the group.

created_at

nullable string

Date and time of group creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last group update. (RFC 3339 format).

organization_id

string

ID of Organization linked to the group.

name

string

Name of the group.

description

string

Description of the group.

user_ids

array

IDs of users attached to this group.

application_ids

array

IDs of applications attached to this group.

Response Example

API Keys

An API key is a unique identifier, used to authenticate requests made to the Scaleway API. An API key consists of an access key and a secret key. The access key is like a unique ID or username, and not a sensitive piece of information. The secret key however is more sensitive, as it is like a password to authenticate the access key.

Previously, an API key was associated with a single Scaleway Project. The API key therefore had full read/write access to all resources on this Project, and only this Project.

With IAM, an API key is now associated with an IAM user or application. This allows fine-grained access to be defined for the IAM user bearing the API key across different Organizations, Projects, and resources.

List API keys

List API keys. By default, the API keys listed are ordered by creation date in ascending order. This can be modified via the order_by field. You can define additional parameters for your query such as editable, expired, access_key and bearer_id.

GET

/iam/v1alpha1/api-keys

Query Parameters

order_by

string

Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, expires_at_asc, expires_at_desc, access_key_asc and access_key_desc. The default value is created_at_asc.

page

integer

Page number. Value must be greater or equal to 1. The default value is 1.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

organization_id

required string

ID of Organization.

application_id

deprecated string

ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id

deprecated string

ID of user that bears the API key. Only one of application_id and user_id may be set.

editable

boolean

Whether to filter out editable API keys or not.

expired

boolean

Whether to filter out expired API keys or not.

access_key

string

Filter by access key.

description

string

Filter by description.

bearer_id

string

Filter by bearer ID.

bearer_type

string

Filter by type of bearer. Possible values are unknown_bearer_type, user and application. The default value is unknown_bearer_type.

200 Response

api_keys

array

List of API keys.

total_count

integer

Total count of API Keys.

Response Example

Create an API key

Create an API key. You must specify the application_id or the user_id and the description. You can also specify the default_project_id which is the Project ID of your preferred Project, to use with Object Storage. The access_key and secret_key values are returned in the response. Note that he secret key is only showed once. Make sure that you copy and store both keys somewhere safe.

POST

/iam/v1alpha1/api-keys

Body

application_id

string

ID of the application. Only one of application_id and user_id may be set.

user_id

string

ID of the user. Only one of application_id and user_id may be set.

expires_at

nullable string

Expiration date of the API key. (RFC 3339 format).

default_project_id

nullable string

The default Project ID to use with Object Storage.

description

string

The description of the API key (max length is 200 characters).

Request Example

200 Response

access_key

string

Access key of the API key.

secret_key

nullable string

Secret key of the API Key.

application_id

string

ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id

string

ID of user that bears the API key. Only one of application_id and user_id may be set.

description

string

Description of API key.

created_at

nullable string

Date and time of API key creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last API key update. (RFC 3339 format).

expires_at

nullable string

Date and time of API key expiration. (RFC 3339 format).

default_project_id

string

The default Project ID specified for this API key.

editable

boolean

Whether or not the API key is editable.

creation_ip

string

IP address of the device that created the API key.

Response Example

Get an API key

Retrive information about an API key, specified by the access_key parameter. The API key's details, including either the user_id or application_id of its bearer are returned in the response. Note that the string value for the secret_key is nullable, and therefore is not displayed in the response. The secret_key value is only displayed upon API key creation.

GET

/iam/v1alpha1/api-keys/{access_key}

Path Parameters

access_key

required string

Access key to search for.

200 Response

access_key

string

Access key of the API key.

secret_key

nullable string

Secret key of the API Key.

application_id

string

ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id

string

ID of user that bears the API key. Only one of application_id and user_id may be set.

description

string

Description of API key.

created_at

nullable string

Date and time of API key creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last API key update. (RFC 3339 format).

expires_at

nullable string

Date and time of API key expiration. (RFC 3339 format).

default_project_id

string

The default Project ID specified for this API key.

editable

boolean

Whether or not the API key is editable.

creation_ip

string

IP address of the device that created the API key.

Response Example

Update an API key

Update the parameters of an API key, including default_project_id and description.

PATCH

/iam/v1alpha1/api-keys/{access_key}

Path Parameters

access_key

required string

Access key to update.

Body

default_project_id

nullable string

The new default Project ID to set.

description

nullable string

The new description to update.

Request Example

200 Response

access_key

string

Access key of the API key.

secret_key

nullable string

Secret key of the API Key.

application_id

string

ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id

string

ID of user that bears the API key. Only one of application_id and user_id may be set.

description

string

Description of API key.

created_at

nullable string

Date and time of API key creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last API key update. (RFC 3339 format).

expires_at

nullable string

Date and time of API key expiration. (RFC 3339 format).

default_project_id

string

The default Project ID specified for this API key.

editable

boolean

Whether or not the API key is editable.

creation_ip

string

IP address of the device that created the API key.

Response Example

Delete an API key

Delete an API key. Note that this action is irreversible and cannot be undone. Make sure you update any configurations using the API keys you delete.

DELETE

/iam/v1alpha1/api-keys/{access_key}

Path Parameters

access_key

required string

Access key to delete.

204 Response

Empty response

Users

A user (also known as an IAM user) is a human user in an Organization. They can either be the Owner of the Organization linked to their Scaleway account, or a Guest in a different Organization. Within each Organization, different IAM users can have different rights (defined through IAM policies) to perform actions on resources.

List users of an Organization

List the users of an Organization. By default, the users listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request. You can also define additional parameters for your query such as user_ids.

GET

/iam/v1alpha1/users

Query Parameters

order_by

string

Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, email_asc, email_desc, last_login_asc and last_login_desc. The default value is created_at_asc.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater or equal to 1. The default value is 1.

organization_id

required string

ID of the Organization to filter.

user_ids

array

Filter by list of IDs.

200 Response

users

array

List of users.

total_count

integer

Total count of users.

Response Example

Get a given user

Retrieve information about a user, specified by the user_id parameter. The user's full details, including id, email, organization_id, status and two_factor_enabled are returned in the response.

GET

/iam/v1alpha1/users/{user_id}

Path Parameters

user_id

required string

ID of the user to find.

200 Response

string

ID of user.

string

Email of user.

created_at

nullable string

Date user was created. (RFC 3339 format).

updated_at

nullable string

Date of last user update. (RFC 3339 format).

organization_id

string

ID of the Organization.

deletable

boolean

Deletion status of user. Owners cannot be deleted.

type

string

Type of user. Possible values are unknown_type, guest and owner. The default value is unknown_type.

two_factor_enabled

boolean

Whether MFA is enabled.

status

string

Status of user invitation. Possible values are unknown_status, invitation_pending and activated. The default value is unknown_status.

Response Example

Delete a guest user from an Organization

Remove a user from an Organization in which they are a guest. You must define the user_id in your request. Note that removing a user from an Organization automatically deletes their API keys, and any policies directly attached to them become orphaned.

DELETE

/iam/v1alpha1/users/{user_id}

Path Parameters

user_id

required string

ID of the user to delete.

204 Response

Empty response

Applications

An application (also known as an IAM application) is a non-human user in a Scaleway Organization. IAM applications may be used when you want to create an API key that is not linked to a user, to give programmatic access to resources.

Note that applications cannot, by definition, have access to the Scaleway console, as they have only an API key and no account themselves (they are not accounts).

List applications of an Organization

List the applications of an Organization. By default, the applications listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request. You can also define additional parameters for your query such as application_ids.

GET

/iam/v1alpha1/applications

Query Parameters

order_by

string

Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, name_asc and name_desc. The default value is created_at_asc.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater than 1. The default value is 1.

name

string

Name of the application to filter.

organization_id

required string

ID of the Organization to filter.

editable

boolean

Whether to filter out editable applications or not.

application_ids

array

Filter by list of IDs.

200 Response

applications

array

List of applications.

total_count

integer

Total count of applications.

Response Example

Create a new application

Create a new application. You must define the name parameter in the request.

POST

/iam/v1alpha1/applications

Body

name

required string

Name of the application to create (max length is 64 characters).

organization_id

string

ID of the Organization.

description

string

Description of the application (max length is 200 characters).

Request Example

200 Response

string

ID of the application.

name

string

Name of the application.

description

string

Description of the application.

created_at

nullable string

Date and time application was created. (RFC 3339 format).

updated_at

nullable string

Date and time of last application update. (RFC 3339 format).

organization_id

string

ID of the Organization.

editable

boolean

Whether or not the application is editable.

nb_api_keys

integer

Number of API keys attributed to the application.

Response Example

Get a given application

Retrieve information about an application, specified by the application_id parameter. The application's full details, including id, email, organization_id, status and two_factor_enabled are returned in the response.

GET

/iam/v1alpha1/applications/{application_id}

Path Parameters

application_id

required string

ID of the application to find.

200 Response

string

ID of the application.

name

string

Name of the application.

description

string

Description of the application.

created_at

nullable string

Date and time application was created. (RFC 3339 format).

updated_at

nullable string

Date and time of last application update. (RFC 3339 format).

organization_id

string

ID of the Organization.

editable

boolean

Whether or not the application is editable.

nb_api_keys

integer

Number of API keys attributed to the application.

Response Example

Update an application

Update the parameters of an application, including name and description.

PATCH

/iam/v1alpha1/applications/{application_id}

Path Parameters

application_id

required string

ID of the application to update.

Body

name

nullable string

New name for the application (max length is 64 chars).

description

nullable string

New description for the application (max length is 200 chars).

Request Example

200 Response

string

ID of the application.

name

string

Name of the application.

description

string

Description of the application.

created_at

nullable string

Date and time application was created. (RFC 3339 format).

updated_at

nullable string

Date and time of last application update. (RFC 3339 format).

organization_id

string

ID of the Organization.

editable

boolean

Whether or not the application is editable.

nb_api_keys

integer

Number of API keys attributed to the application.

Response Example

Delete an application

Delete an application. Note that this action is irreversible and will automatically delete the application's API keys. Policies attached to users and applications via this group will no longer apply.

DELETE

/iam/v1alpha1/applications/{application_id}

Path Parameters

application_id

required string

ID of the application to delete.

204 Response

Empty response

Policies

Policies control user rights, by defining one or more rules to apply to the attached principals (users, groups or applications). A policy rule has two parts:\ permission set and scope.

For each policy rule, you specify one or more permission sets (eg. “list all Instances”) and their scope (eg. “on Project A only”). This therefore defines the actions that the principles can carry out on resources within the scope.

List policies of an Organization

List the policies of an Organization. By default, the policies listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request. You can also define additional parameters to filter your query, such as user_ids, groups_ids, application_ids, and policy_name.

GET

/iam/v1alpha1/policies

Query Parameters

order_by

string

Criteria for sorting results. Possible values are policy_name_asc, policy_name_desc, created_at_asc and created_at_desc. The default value is created_at_asc.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater than 1. The default value is 1.

organization_id

required string

ID of the Organization to filter.

editable

boolean

Whether or not filter out editable policies.

user_ids

array

Whether or not to filter by list of user IDs.

group_ids

array

Whether or not to filter by list of group IDs.

application_ids

array

Filter by a list of application IDs.

no_principal

boolean

Whether or not the policy is attributed to a principal.

policy_name

string

Name of the policy to fetch.

200 Response

policies

array

List of policies.

total_count

integer

Total count of policies.

Response Example

Create a new policy

Create a new application. You must define the name parameter in the request. You can specify parameters such as user_id, groups_id, application_id, no_principal, rules and its child attributes.

POST

/iam/v1alpha1/policies

Body

name

required string

Name of the policy to create (max length is 64 characters).

description

string

Description of the policy to create (max length is 200 characters).

organization_id

string

ID of the Organization.

rules

array

Rules of the policy to create.

user_id

string

ID of user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id

string

ID of group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id

string

ID of application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal

boolean

Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.

Request Example

200 Response

string

Id of the policy.

name

string

Name of the policy.

description

string

Description of the policy.

organization_id

string

Organization ID of the policy.

created_at

nullable string

Date and time of policy creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last policy update. (RFC 3339 format).

editable

boolean

Whether or not a policy is editable.

nb_rules

integer

Number of rules of the policy.

nb_scopes

integer

Number of policy scopes.

nb_permission_sets

integer

Number of permission sets of the policy.

user_id

string

ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id

string

ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id

string

ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal

boolean

Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.

Response Example

Get an existing policy

Retrieve information about a policy, speficified by the policy_id parameter. The policy's full details, including id, name, organization_id, nb_rules and nb_scopes, nb_permission_sets are returned in the response.

GET

/iam/v1alpha1/policies/{policy_id}

Path Parameters

policy_id

required string

Id of policy to search.

200 Response

string

Id of the policy.

name

string

Name of the policy.

description

string

Description of the policy.

organization_id

string

Organization ID of the policy.

created_at

nullable string

Date and time of policy creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last policy update. (RFC 3339 format).

editable

boolean

Whether or not a policy is editable.

nb_rules

integer

Number of rules of the policy.

nb_scopes

integer

Number of policy scopes.

nb_permission_sets

integer

Number of permission sets of the policy.

user_id

string

ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id

string

ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id

string

ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal

boolean

Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.

Response Example

Update an existing policy

Update the parameters of a policy, including name, description, user_id, group_id, application_id and no_principal.

PATCH

/iam/v1alpha1/policies/{policy_id}

Path Parameters

policy_id

required string

Id of policy to update.

Body

name

nullable string

New name for the policy (max length is 64 characters).

description

nullable string

New description of policy (max length is 200 characters).

user_id

nullable string

New ID of user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id

nullable string

New ID of group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id

nullable string

New ID of application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal

nullable boolean

Whether or not the policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.

Request Example

200 Response

string

Id of the policy.

name

string

Name of the policy.

description

string

Description of the policy.

organization_id

string

Organization ID of the policy.

created_at

nullable string

Date and time of policy creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last policy update. (RFC 3339 format).

editable

boolean

Whether or not a policy is editable.

nb_rules

integer

Number of rules of the policy.

nb_scopes

integer

Number of policy scopes.

nb_permission_sets

integer

Number of permission sets of the policy.

user_id

string

ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id

string

ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id

string

ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal

boolean

Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.

Response Example

Delete a policy

Delete a policy. You must define specify the policy_id parameter in your request. Note that when deleting a policy, all permissions it gives to its principal (user, group or application) will be revoked.

DELETE

/iam/v1alpha1/policies/{policy_id}

Path Parameters

policy_id

required string

Id of policy to delete.

204 Response

Empty response

Clone a policy

Clone a policy. You must define specify the policy_id parameter in your request.

POST

/iam/v1alpha1/policies/{policy_id}/clone

Path Parameters

policy_id

required string

Body

Request Example

200 Response

string

Id of the policy.

name

string

Name of the policy.

description

string

Description of the policy.

organization_id

string

Organization ID of the policy.

created_at

nullable string

Date and time of policy creation. (RFC 3339 format).

updated_at

nullable string

Date and time of last policy update. (RFC 3339 format).

editable

boolean

Whether or not a policy is editable.

nb_rules

integer

Number of rules of the policy.

nb_scopes

integer

Number of policy scopes.

nb_permission_sets

integer

Number of permission sets of the policy.

user_id

string

ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id

string

ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id

string

ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal

boolean

Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.

Response Example

Rules

A rule (also known as an IAM rule) is the part of a policy that defines the permissions of the policy's principal, and the scope of these permissions. A policy can have one or many rules. Each rule consists of:\

A scope, which defines where the permission sets should apply. At Scaleway, a scope can be at Project or Organization level.

Projects group your Scaleway resources (eg. Instances, Object Storage buckets, Managed Databases etc.) together. An Organization may have many Projects, or just one default Project. If you choose to define scope at Project level, you can select one, many, or all Projects. When you then define the permission sets for this scope, you can give access to different resources within the Project(s).
An Organization is made of one or several Projects. Billing, IAM, Project management and support are all managed at Organization level, so choose the Organization scope to give access to these features.

One or more permission sets (eg. "list all Instances"). A permission set consists of one or multiple permissions to perform actions on resources or features. Each permission set has a clear description, e.g. InstancesFullAccess, InstancesReadOnly, RelationalDatabasesFullAccess, BillingReadOnly.

List rules of a given policy

List the rules of a given policy. By default, the rules listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the policy_id in the query path of your request.

GET

/iam/v1alpha1/rules

Query Parameters

policy_id

required string

Id of policy to search.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater than 1. The default value is 1.

200 Response

rules

array

Rules of the policy.

total_count

integer

Total count of rules.

Response Example

Set rules of a given policy

Overwrite the rules of a given policy. Any information that you add using this command will overwrite the previous configuration. If you include some of the rules you already had in your previous configuration in your new one, but you change their order, the new order of display will apply. While policy rules are ordered, they have no impact on the access logic of IAM because rules are allow-only.

PUT

/iam/v1alpha1/rules

Body

policy_id

required string

Id of policy to update.

rules

required array

Rules of the policy to set.

Request Example

200 Response

rules

array

Rules of the policy.

Response Example

Permission sets

Permission sets are the main components of IAM rules. They consist of sets of one or multiple permissions.

Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called:\ InstancesFullAccess.

Permissions sets (eg.InstanceReadAccess) and their scope (eg. "on Project A only") make up IAM rules, which define the access rights that a principal (user, group or application) should have.

List permission sets

List permission sets available for given Organization. You must define the organization_id in the query path of your request.

GET

/iam/v1alpha1/permission-sets

Query Parameters

order_by

string

Criteria for sorting results. Possible values are name_asc, name_desc, created_at_asc and created_at_desc. The default value is created_at_asc.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater than 1. The default value is 1.

organization_id

required string

Filter by Organization ID.

200 Response

permission_sets

array

List of permission sets.

total_count

integer

Total count of permission sets.

Response Example

Quotas

Every Scaleway Organization detains a certain number of resource quotas, which are limits on the number of Scaleway resources these Organizations can use.

List all quotas in the Organization

List all product and features quota for an Organization, with their associated limits. By default, the quota listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request.

GET

/iam/v1alpha1/quota

Query Parameters

order_by

string

Criteria for sorting results. Possible values are name_asc and name_desc. The default value is name_asc.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater than 1. The default value is 1.

organization_id

required string

Filter by Organization ID.

200 Response

quota

array

List of quota.

total_count

integer

Total count of quota.

Response Example

Get a quota in the Organization

Retrieve information about a resource quota, speficified by the quotum_name parameter. The quota's limit, or whether it is unlimited, is returned in the response.

GET

/iam/v1alpha1/quota/{quotum_name}

Path Parameters

quotum_name

required string

Name of the quota to get.

Query Parameters

organization_id

required string

ID of the Organization.

200 Response

name

string

Name of the quota.

limit

integer

Maximum limit of the quota. Only one of limit and unlimited may be set.

unlimited

boolean

Whether or not the quota is unlimited. Only one of limit and unlimited may be set.

Response Example

JWTs

List JWTs

GET

/iam/v1alpha1/jwts

Query Parameters

order_by

string

Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc and updated_at_desc. The default value is created_at_asc.

audience_id

required string

ID of the user to search.

page_size

integer

Number of results per page. Value must be between 1 and 100. The default value is 20.

page

integer

Page number. Value must be greater to 1. The default value is 1.

expired

boolean

Filter out expired JWTs or not.

200 Response

jwts

array

total_count

integer

Response Example

Get a JWT

GET

/iam/v1alpha1/jwts/{jti}

Path Parameters

jti

required string

JWT ID of the JWT to get.

200 Response

jti

string

JWT ID.

issuer_id

string

ID of the user who issued the JWT.

audience_id

string

ID of the user targeted by the JWT.

created_at

nullable string

Creation date of the JWT. (RFC 3339 format).

updated_at

nullable string

Last update date of the JWT. (RFC 3339 format).

expires_at

nullable string

Expiration date of the JWT. (RFC 3339 format).

string

IP address used during the creation of the JWT. (IP address).

user_agent

string

User-agent used during the creation of the JWT.

Response Example

Delete a JWT

DELETE

/iam/v1alpha1/jwts/{jti}

Path Parameters

jti

required string

JWT ID of the JWT to delete.

204 Response

Empty response