Identity and Access Management (IAM) allows you to share access to the management of your Scaleway resources and Organization settings, in a controlled and secure manner. With IAM, you can invite other users to your Organization, as well as create IAM applications which represent non-human users with their own API keys. You define permissions for users and applications in your Organization via highly customizable policies. Policies let you specify exactly what rights users and applications (or groups of users and applications) should have within your Organization.
Refer to our dedicated IAM concepts page to find definitions of the different terms referring to IAM.
Requirements
To perform the following steps, you must first ensure that:
curl
1. Configure your environment variables.
2. Create an application. Replace the parameter values in the request payload with the details of your new application.
Note: the UUIDs used in the following code examples are not real.
Parameter | Description |
---|---|
name | REQUIRED The name of your new application |
organization_id | The ID of your Scaleway Organization |
description | The description of your application |
3. Retrieve your application ID from the response.
4. Create a policy. Replace the parameter values in the request payload with the details of your new application, including the application ID retrieved in the previous step.
Parameter | Description |
---|---|
name | REQUIRED The name of your new application |
description | The description of your policy |
organization_id | The ID of your Scaleway Organization |
rules | The rules of your policy |
permission_set_names | The permission sets you want to grant. You can either list all permission sets or find a complete list in the permission sets documentation page |
organization_id | The ID of the Scaleway Organization where you want your permission sets to apply. You can add one as the scope of your policy |
application_id | The ID of your application |
Note: to learn more about IAM policies, refer to our dedicated IAM policies reference page.
5. Create an API key for your application.
Parameter | Description |
---|---|
application_id | The ID of your application |
expires_at | OPTIONAL The expiration date of your API key |
default_project_id | OPTIONAL The Project ID of your preferred Project, to use with Object Storage. If no Project ID is specified, the default project is used. Refer to the Using API Keys with Object Storage documentation page |
description | The description of your API key |
6. Retrieve your access and secret keys from the response.
Note: The secret key is only showed once. Make sure that you copy and store both keys somewhere safe.
You can now have an IAM configuration fully set up and can begin working on your Scaleway projects.
Currently, IAM users cannot be created within Scaleway Organizations, they can only be invited to join them. Refer to the Users, groups and applications reference page to learn more about users.
Access management at ressource level is not yet available. You can currently scope the permission sets to a Project or to an Organization. Refer to the Permission sets reference page to learn more about permission sets.
Explicit deny permissions are not yet available. You can currently only explicitely allow access to different products or Organization management features.
For more information about IAM, you can check out the following pages:
An SSH Key (Secure Shell Key) allows passwordless connection to an Instance. An SSH Key is generated by creating an RSA key pair, consisting of a sensitive identification key, (aka private key) which must be stored securely, and a public key which is uploaded to the Scaleway interface.
The public key is kept in your Scaleway account and transferred to the Instance during the boot process, while the identification key is kept securely on your local computer. When connecting to the Instance via SSH, a trusted connection to the machine is established using the key pair.
List SSH keys. By default, the SSH keys listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You can define additional parameters for your query such as organization_id
, name
, project_id
and disabled
.
created_at_asc
, created_at_desc
, updated_at_asc
, updated_at_desc
, name_asc
and name_desc
. The default value is created_at_asc
.Add a new SSH key to a Scaleway Project. You must specify the name
, public_key
and project_id
.
Retrieve information about a given SSH key, specified by the ssh_key_id
parameter. The SSH key's full details, including id
, name
, public_key
, and project_id
are returned in the response.
Update the parameters of an SSH key, including name
and disable
.
Delete a given SSH key, specified by the ssh_key_id
. Deleting an SSH is permanent, and cannot be undone. Note that you might need to update any configurations that used the SSH key.
A group (also known as an IAM group) is a grouping of users and/or applications. Creating groups allows you to attach policies to multiple users and/or applications at the same time.
List groups. By default, the groups listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You can define additional parameters to filter your query. Use user_ids
or application_ids
to list all groups certain users or applications belong to.
created_at_asc
, created_at_desc
, updated_at_asc
, updated_at_desc
, name_asc
and name_desc
. The default value is created_at_asc
.Create a new group. You must define the name
and organization_id
parameters in the request.
Retrive information about a given group, specified by the group_id
parameter. The group's full details, including user_ids
and application_ids
are returned in the response.
Update the parameters of group, including name
and description
.
Delete a group. Note that this action is irreversible and could delete permissions for group members. Policies attached to users and applications via this group will no longer apply.
Add a user or an application to a group. You can specify a user_id
and and application_id
in the body of your request. Note that you can only add one of each per request.
Overwrite users and applications configuration in a group. Any information that you add using this command will overwrite the previous configuration.
Remove a user or an application from a group. You can specify a user_id
and and application_id
in the body of your request. Note that you can only remove one of each per request. Removing a user from a group means that any permissions given to them via the group (i.e. from an attached policy) will no longer apply. Be sure you want to remove these permissions from the user before proceeding.
An API key is a unique identifier, used to authenticate requests made to the Scaleway API. An API key consists of an access key and a secret key. The access key is like a unique ID or username, and not a sensitive piece of information. The secret key however is more sensitive, as it is like a password to authenticate the access key.
Previously, an API key was associated with a single Scaleway Project. The API key therefore had full read/write access to all resources on this Project, and only this Project.
With IAM, an API key is now associated with an IAM user or application. This allows fine-grained access to be defined for the IAM user bearing the API key across different Organizations, Projects, and resources.
List API keys. By default, the API keys listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You can define additional parameters for your query such as editable
, expired
, access_key
and bearer_id
.
created_at_asc
, created_at_desc
, updated_at_asc
, updated_at_desc
, expires_at_asc
, expires_at_desc
, access_key_asc
and access_key_desc
. The default value is created_at_asc
.20
.application_id
and user_id
may be set.application_id
and user_id
may be set.Create an API key. You must specify the application_id
or the user_id
and the description. You can also specify the default_project_id
which is the Project ID of your preferred Project, to use with Object Storage. The access_key
and secret_key
values are returned in the response. Note that he secret key is only showed once. Make sure that you copy and store both keys somewhere safe.
application_id
and user_id
may be set.Retrive information about an API key, specified by the access_key
parameter. The API key's details, including either the user_id
or application_id
of its bearer are returned in the response. Note that the string value for the secret_key
is nullable, and therefore is not displayed in the response. The secret_key
value is only displayed upon API key creation.
application_id
and user_id
may be set.Update the parameters of an API key, including default_project_id
and description
.
application_id
and user_id
may be set.Delete an API key. Note that this action is irreversible and cannot be undone. Make sure you update any configurations using the API keys you delete.
A user (also known as an IAM user) is a human user in an Organization. They can either be the Owner of the Organization linked to their Scaleway account, or a Guest in a different Organization. Within each Organization, different IAM users can have different rights (defined through IAM policies) to perform actions on resources.
List the users of an Organization. By default, the users listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You must define the organization_id
in the query path of your request. You can also define additional parameters for your query such as user_ids
.
created_at_asc
, created_at_desc
, updated_at_asc
, updated_at_desc
, email_asc
, email_desc
, last_login_asc
and last_login_desc
. The default value is created_at_asc
.20
.Retrieve information about a user, specified by the user_id
parameter. The user's full details, including id
, email
, organization_id
, status
and two_factor_enabled
are returned in the response.
unknown_type
, guest
and owner
. The default value is unknown_type
.Remove a user from an Organization in which they are a guest. You must define the user_id
in your request. Note that removing a user from an Organization automatically deletes their API keys, and any policies directly attached to them become orphaned.
An application (also known as an IAM application) is a non-human user in a Scaleway Organization. IAM applications may be used when you want to create an API key that is not linked to a user, to give programmatic access to resources.
Note that applications cannot, by definition, have access to the Scaleway console, as they have only an API key and no account themselves (they are not accounts).
List the applications of an Organization. By default, the applications listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You must define the organization_id
in the query path of your request. You can also define additional parameters for your query such as application_ids
.
created_at_asc
, created_at_desc
, updated_at_asc
, updated_at_desc
, name_asc
and name_desc
. The default value is created_at_asc
.20
.Create a new application. You must define the name
parameter in the request.
Retrieve information about an application, specified by the application_id
parameter. The application's full details, including id
, email
, organization_id
, status
and two_factor_enabled
are returned in the response.
Update the parameters of an application, including name
and description
.
Delete an application. Note that this action is irreversible and will automatically delete the application's API keys. Policies attached to users and applications via this group will no longer apply.
Policies control user rights, by defining one or more rules to apply to the attached principals (users, groups or applications). A policy rule has two parts:\ permission set and scope.
For each policy rule, you specify one or more permission sets (eg. “list all Instances”) and their scope (eg. “on Project A only”). This therefore defines the actions that the principles can carry out on resources within the scope.
List the policies of an Organization. By default, the policies listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You must define the organization_id
in the query path of your request. You can also define additional parameters to filter your query, such as user_ids
, groups_ids
, application_ids
, and policy_name
.
policy_name_asc
, policy_name_desc
, created_at_asc
and created_at_desc
. The default value is created_at_asc
.20
.Create a new application. You must define the name
parameter in the request. You can specify parameters such as user_id
, groups_id
, application_id
, no_principal
, rules
and its child attributes.
user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.Retrieve information about a policy, speficified by the policy_id
parameter. The policy's full details, including id
, name
, organization_id
, nb_rules
and nb_scopes
, nb_permission_sets
are returned in the response.
user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.Update the parameters of a policy, including name
, description
, user_id
, group_id
, application_id
and no_principal
.
user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.Delete a policy. You must define specify the policy_id
parameter in your request. Note that when deleting a policy, all permissions it gives to its principal (user, group or application) will be revoked.
Clone a policy. You must define specify the policy_id
parameter in your request.
user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.user_id
, group_id
, application_id
and no_principal
may be set.A rule (also known as an IAM rule) is the part of a policy that defines the permissions of the policy's principal, and the scope of these permissions. A policy can have one or many rules. Each rule consists of:\
InstancesFullAccess
, InstancesReadOnly
, RelationalDatabasesFullAccess
, BillingReadOnly
.List the rules of a given policy. By default, the rules listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You must define the policy_id
in the query path of your request.
Overwrite the rules of a given policy. Any information that you add using this command will overwrite the previous configuration. If you include some of the rules you already had in your previous configuration in your new one, but you change their order, the new order of display will apply. While policy rules are ordered, they have no impact on the access logic of IAM because rules are allow-only.
Permission sets are the main components of IAM rules. They consist of sets of one or multiple permissions.
Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called:\ InstancesFullAccess
.
Permissions sets (eg.InstanceReadAccess
) and their scope (eg. "on Project A only") make up IAM rules, which define the access rights that a principal (user, group or application) should have.
List permission sets available for given Organization. You must define the organization_id
in the query path of your request.
name_asc
, name_desc
, created_at_asc
and created_at_desc
. The default value is created_at_asc
.20
.Every Scaleway Organization detains a certain number of resource quotas, which are limits on the number of Scaleway resources these Organizations can use.
List all product and features quota for an Organization, with their associated limits. By default, the quota listed are ordered by creation date in ascending order. This can be modified via the order_by
field. You must define the organization_id
in the query path of your request.
name_asc
and name_desc
. The default value is name_asc
.20
.Retrieve information about a resource quota, speficified by the quotum_name
parameter. The quota's limit
, or whether it is unlimited, is returned in the response.
created_at_asc
, created_at_desc
, updated_at_asc
and updated_at_desc
. The default value is created_at_asc
.20
.