IAM APIv1alpha1

Download OpenAPI

Introduction

Identity and Access Management (IAM) allows you to share access to the management of your Scaleway resources and Organization settings, in a controlled and secure manner. With IAM, you can invite other users to your Organization, as well as create IAM applications which represent non-human users with their own API keys. You define permissions for users and applications in your Organization via highly customizable policies. Policies let you specify exactly what rights users and applications (or groups of users and applications) should have within your Organization.

Refer to our dedicated IAM concepts page to find definitions of the different terms referring to IAM.

Requirements

To perform the following steps, you must first ensure that:

1. Configure your environment variables.

2. Create an application. Replace the parameter values in the request payload with the details of your new application.

Note: the UUIDs used in the following code examples are not real.

ParameterDescription
nameREQUIRED The name of your new application
organization_idThe ID of your Scaleway Organization
descriptionThe description of your application

3. Retrieve your application ID from the response.

4. Create a policy. Replace the parameter values in the request payload with the details of your new application, including the application ID retrieved in the previous step.

ParameterDescription
nameREQUIRED The name of your new application
descriptionThe description of your policy
organization_idThe ID of your Scaleway Organization
rulesThe rules of your policy
permission_set_namesThe permission sets you want to grant. You can either list all permission sets or find a complete list in the permission sets documentation page
organization_idThe ID of the Scaleway Organization where you want your permission sets to apply. You can add one as the scope of your policy
application_idThe ID of your application

Note: to learn more about IAM policies, refer to our dedicated IAM policies reference page.

5. Create an API key for your application.

ParameterDescription
application_idThe ID of your application
expires_atOPTIONAL The expiration date of your API key
default_project_idOPTIONAL The Project ID of your preferred Project, to use with Object Storage. If no Project ID is specified, the default project is used. Refer to the Using API Keys with Object Storage documentation page
descriptionThe description of your API key

6. Retrieve your access and secret keys from the response.

Note: The secret key is only showed once. Make sure that you copy and store both keys somewhere safe.

You can now have an IAM configuration fully set up and can begin working on your Scaleway projects.

  • Currently, IAM users cannot be created within Scaleway Organizations, they can only be invited to join them. Refer to the Users, groups and applications reference page to learn more about users.

  • Access management at ressource level is not yet available. You can currently scope the permission sets to a Project or to an Organization. Refer to the Permission sets reference page to learn more about permission sets.

  • Explicit deny permissions are not yet available. You can currently only explicitely allow access to different products or Organization management features.

An SSH Key (Secure Shell Key) allows passwordless connection to an Instance. An SSH Key is generated by creating an RSA key pair, consisting of a sensitive identification key, (aka private key) which must be stored securely, and a public key which is uploaded to the Scaleway interface.

The public key is kept in your Scaleway account and transferred to the Instance during the boot process, while the identification key is kept securely on your local computer. When connecting to the Instance via SSH, a trusted connection to the machine is established using the key pair.

List SSH keys

List SSH keys. By default, the SSH keys listed are ordered by creation date in ascending order. This can be modified via the order_by field. You can define additional parameters for your query such as organization_id, name, project_id and disabled.

GET
/iam/v1alpha1/ssh-keys
Query Parameters

order_by
string
Sort order of the SSH keys. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, name_asc and name_desc. The default value is created_at_asc.

page
integer
Requested page number. Value must be greater or equal to 1. The default value is 1.

page_size
integer
Number of items per page. Value must be between 1 and 100. The default value is 20.

organization_id
string
Filter by Organization ID.

name
string
Name of group to find.

project_id
string
Filter by Project ID.

disabled
boolean
Whether to include disabled SSH keys or not.
200 Response

ssh_keys
array
List of SSH keys.

total_count
integer
Total count of SSH keys.
Response Example

Add a new SSH key to a Scaleway Project. You must specify the name, public_key and project_id.

POST
/iam/v1alpha1/ssh-keys
Body

name
required string
The name of the SSH key. Max length is 1000.

public_key
required string
SSH public key. Currently only the ssh-rsa, ssh-dss (DSA), ssh-ed25519 and ecdsa keys with NIST curves are supported. Max length is 65000.

project_id
required string
Project the resource is attributed to.
Request Example
200 Response

id
string
ID of SSH key.

name
string
Name of SSH key.

public_key
string
Public key of SSH key.

fingerprint
string
Fingerprint of the SSH key.

created_at
nullable string
Creation date of SSH key. (RFC 3339 format).

updated_at
nullable string
Last update date of SSH key. (RFC 3339 format).

organization_id
string
ID of Organization linked to the SSH key.

project_id
string
ID of Project linked to the SSH key.

disabled
boolean
SSH key status.
Response Example

Retrieve information about a given SSH key, specified by the ssh_key_id parameter. The SSH key's full details, including id, name, public_key, and project_id are returned in the response.

GET
/iam/v1alpha1/ssh-keys/{ssh_key_id}
Path Parameters

ssh_key_id
required string
The ID of the SSH key.
200 Response

id
string
ID of SSH key.

name
string
Name of SSH key.

public_key
string
Public key of SSH key.

fingerprint
string
Fingerprint of the SSH key.

created_at
nullable string
Creation date of SSH key. (RFC 3339 format).

updated_at
nullable string
Last update date of SSH key. (RFC 3339 format).

organization_id
string
ID of Organization linked to the SSH key.

project_id
string
ID of Project linked to the SSH key.

disabled
boolean
SSH key status.
Response Example

Update the parameters of an SSH key, including name and disable.

PATCH
/iam/v1alpha1/ssh-keys/{ssh_key_id}
Path Parameters

ssh_key_id
required string
Body

name
nullable string
Name of the SSH key. Max length is 1000.

disabled
nullable boolean
Enable or disable the SSH key.
Request Example
200 Response

id
string
ID of SSH key.

name
string
Name of SSH key.

public_key
string
Public key of SSH key.

fingerprint
string
Fingerprint of the SSH key.

created_at
nullable string
Creation date of SSH key. (RFC 3339 format).

updated_at
nullable string
Last update date of SSH key. (RFC 3339 format).

organization_id
string
ID of Organization linked to the SSH key.

project_id
string
ID of Project linked to the SSH key.

disabled
boolean
SSH key status.
Response Example

Delete a given SSH key, specified by the ssh_key_id. Deleting an SSH is permanent, and cannot be undone. Note that you might need to update any configurations that used the SSH key.

DELETE
/iam/v1alpha1/ssh-keys/{ssh_key_id}
Path Parameters

ssh_key_id
required string
204 Response

Empty response

A group (also known as an IAM group) is a grouping of users and/or applications. Creating groups allows you to attach policies to multiple users and/or applications at the same time.

List groups. By default, the groups listed are ordered by creation date in ascending order. This can be modified via the order_by field. You can define additional parameters to filter your query. Use user_ids or application_ids to list all groups certain users or applications belong to.

GET
/iam/v1alpha1/groups
Query Parameters

order_by
string
Sort order of groups. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, name_asc and name_desc. The default value is created_at_asc.

page
integer
Requested page number. Value must be greater or equal to 1. The default value is 1.

page_size
integer
Number of items per page. Value must be between 1 and 100. The default value is 20.

organization_id
string
Filter by Organization ID.

name
string
Name of group to find.

application_ids
array
Filter by a list of application IDs.

user_ids
array
Filter by a list of user IDs.

group_ids
array
Filter by a list of group IDs.
200 Response

groups
array
List of groups.

total_count
integer
Total count of groups.
Response Example

Create a new group. You must define the name and organization_id parameters in the request.

POST
/iam/v1alpha1/groups
Body

organization_id
required string
ID of Organization linked to the group.

name
required string
Name of the group to create (max length is 64 chars). MUST be unique inside an Organization.

description
string
Description of the group to create (max length is 200 chars).
Request Example
200 Response

id
string
ID of the group.

created_at
nullable string
Date and time of group creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last group update. (RFC 3339 format).

organization_id
string
ID of Organization linked to the group.

name
string
Name of the group.

description
string
Description of the group.

user_ids
array
IDs of users attached to this group.

application_ids
array
IDs of applications attached to this group.
Response Example

Retrive information about a given group, specified by the group_id parameter. The group's full details, including user_ids and application_ids are returned in the response.

GET
/iam/v1alpha1/groups/{group_id}
Path Parameters

group_id
required string
ID of the group.
200 Response

id
string
ID of the group.

created_at
nullable string
Date and time of group creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last group update. (RFC 3339 format).

organization_id
string
ID of Organization linked to the group.

name
string
Name of the group.

description
string
Description of the group.

user_ids
array
IDs of users attached to this group.

application_ids
array
IDs of applications attached to this group.
Response Example

Update the parameters of group, including name and description.

PATCH
/iam/v1alpha1/groups/{group_id}
Path Parameters

group_id
required string
ID of the group to update.
Body

name
nullable string
New name for the group (max length is 64 chars). MUST be unique inside an Organization.

description
nullable string
New description for the group (max length is 200 chars).
Request Example
200 Response

id
string
ID of the group.

created_at
nullable string
Date and time of group creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last group update. (RFC 3339 format).

organization_id
string
ID of Organization linked to the group.

name
string
Name of the group.

description
string
Description of the group.

user_ids
array
IDs of users attached to this group.

application_ids
array
IDs of applications attached to this group.
Response Example

Delete a group. Note that this action is irreversible and could delete permissions for group members. Policies attached to users and applications via this group will no longer apply.

DELETE
/iam/v1alpha1/groups/{group_id}
Path Parameters

group_id
required string
ID of the group to delete.
204 Response

Empty response

Add a user or an application to a group. You can specify a user_id and and application_id in the body of your request. Note that you can only add one of each per request.

POST
/iam/v1alpha1/groups/{group_id}/add-member
Path Parameters

group_id
required string
ID of the group.
Body

user_id
string
ID of the user to add. Only one of user_id and application_id may be set.

application_id
string
ID of the application to add. Only one of user_id and application_id may be set.
Request Example
200 Response

id
string
ID of the group.

created_at
nullable string
Date and time of group creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last group update. (RFC 3339 format).

organization_id
string
ID of Organization linked to the group.

name
string
Name of the group.

description
string
Description of the group.

user_ids
array
IDs of users attached to this group.

application_ids
array
IDs of applications attached to this group.
Response Example

Overwrite users and applications configuration in a group. Any information that you add using this command will overwrite the previous configuration.

PUT
/iam/v1alpha1/groups/{group_id}/members
Path Parameters

group_id
required string
Body

user_ids
required array

application_ids
required array
Request Example
200 Response

id
string
ID of the group.

created_at
nullable string
Date and time of group creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last group update. (RFC 3339 format).

organization_id
string
ID of Organization linked to the group.

name
string
Name of the group.

description
string
Description of the group.

user_ids
array
IDs of users attached to this group.

application_ids
array
IDs of applications attached to this group.
Response Example

Remove a user or an application from a group. You can specify a user_id and and application_id in the body of your request. Note that you can only remove one of each per request. Removing a user from a group means that any permissions given to them via the group (i.e. from an attached policy) will no longer apply. Be sure you want to remove these permissions from the user before proceeding.

POST
/iam/v1alpha1/groups/{group_id}/remove-member
Path Parameters

group_id
required string
ID of the group.
Body

user_id
string
ID of the user to remove. Only one of user_id and application_id may be set.

application_id
string
ID of the application to remove. Only one of user_id and application_id may be set.
Request Example
200 Response

id
string
ID of the group.

created_at
nullable string
Date and time of group creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last group update. (RFC 3339 format).

organization_id
string
ID of Organization linked to the group.

name
string
Name of the group.

description
string
Description of the group.

user_ids
array
IDs of users attached to this group.

application_ids
array
IDs of applications attached to this group.
Response Example

An API key is a unique identifier, used to authenticate requests made to the Scaleway API. An API key consists of an access key and a secret key. The access key is like a unique ID or username, and not a sensitive piece of information. The secret key however is more sensitive, as it is like a password to authenticate the access key.

Previously, an API key was associated with a single Scaleway Project. The API key therefore had full read/write access to all resources on this Project, and only this Project.

With IAM, an API key is now associated with an IAM user or application. This allows fine-grained access to be defined for the IAM user bearing the API key across different Organizations, Projects, and resources.

List API keys. By default, the API keys listed are ordered by creation date in ascending order. This can be modified via the order_by field. You can define additional parameters for your query such as editable, expired, access_key and bearer_id.

GET
/iam/v1alpha1/api-keys
Query Parameters

order_by
string
Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, expires_at_asc, expires_at_desc, access_key_asc and access_key_desc. The default value is created_at_asc.

page
integer
Page number. Value must be greater or equal to 1. The default value is 1.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

organization_id
required string
ID of Organization.

application_id
deprecated string
ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id
deprecated string
ID of user that bears the API key. Only one of application_id and user_id may be set.

editable
boolean
Whether to filter out editable API keys or not.

expired
boolean
Whether to filter out expired API keys or not.

access_key
string
Filter by access key.

description
string
Filter by description.

bearer_id
string
Filter by bearer ID.

bearer_type
string
Filter by type of bearer. Possible values are unknown_bearer_type, user and application. The default value is unknown_bearer_type.
200 Response

api_keys
array
List of API keys.

total_count
integer
Total count of API Keys.
Response Example

Create an API key. You must specify the application_id or the user_id and the description. You can also specify the default_project_id which is the Project ID of your preferred Project, to use with Object Storage. The access_key and secret_key values are returned in the response. Note that he secret key is only showed once. Make sure that you copy and store both keys somewhere safe.

POST
/iam/v1alpha1/api-keys
Body

application_id
string
ID of the application. Only one of application_id and user_id may be set.

user_id
string
ID of the user. Only one of application_id and user_id may be set.

expires_at
nullable string
Expiration date of the API key. (RFC 3339 format).

default_project_id
nullable string
The default Project ID to use with Object Storage.

description
string
The description of the API key (max length is 200 characters).
Request Example
200 Response

access_key
string
Access key of the API key.

secret_key
nullable string
Secret key of the API Key.

application_id
string
ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id
string
ID of user that bears the API key. Only one of application_id and user_id may be set.

description
string
Description of API key.

created_at
nullable string
Date and time of API key creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last API key update. (RFC 3339 format).

expires_at
nullable string
Date and time of API key expiration. (RFC 3339 format).

default_project_id
string
The default Project ID specified for this API key.

editable
boolean
Whether or not the API key is editable.

creation_ip
string
IP address of the device that created the API key.
Response Example

Retrive information about an API key, specified by the access_key parameter. The API key's details, including either the user_id or application_id of its bearer are returned in the response. Note that the string value for the secret_key is nullable, and therefore is not displayed in the response. The secret_key value is only displayed upon API key creation.

GET
/iam/v1alpha1/api-keys/{access_key}
Path Parameters

access_key
required string
Access key to search for.
200 Response

access_key
string
Access key of the API key.

secret_key
nullable string
Secret key of the API Key.

application_id
string
ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id
string
ID of user that bears the API key. Only one of application_id and user_id may be set.

description
string
Description of API key.

created_at
nullable string
Date and time of API key creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last API key update. (RFC 3339 format).

expires_at
nullable string
Date and time of API key expiration. (RFC 3339 format).

default_project_id
string
The default Project ID specified for this API key.

editable
boolean
Whether or not the API key is editable.

creation_ip
string
IP address of the device that created the API key.
Response Example

Update the parameters of an API key, including default_project_id and description.

PATCH
/iam/v1alpha1/api-keys/{access_key}
Path Parameters

access_key
required string
Access key to update.
Body

default_project_id
nullable string
The new default Project ID to set.

description
nullable string
The new description to update.
Request Example
200 Response

access_key
string
Access key of the API key.

secret_key
nullable string
Secret key of the API Key.

application_id
string
ID of application that bears the API key. Only one of application_id and user_id may be set.

user_id
string
ID of user that bears the API key. Only one of application_id and user_id may be set.

description
string
Description of API key.

created_at
nullable string
Date and time of API key creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last API key update. (RFC 3339 format).

expires_at
nullable string
Date and time of API key expiration. (RFC 3339 format).

default_project_id
string
The default Project ID specified for this API key.

editable
boolean
Whether or not the API key is editable.

creation_ip
string
IP address of the device that created the API key.
Response Example

Delete an API key. Note that this action is irreversible and cannot be undone. Make sure you update any configurations using the API keys you delete.

DELETE
/iam/v1alpha1/api-keys/{access_key}
Path Parameters

access_key
required string
Access key to delete.
204 Response

Empty response

A user (also known as an IAM user) is a human user in an Organization. They can either be the Owner of the Organization linked to their Scaleway account, or a Guest in a different Organization. Within each Organization, different IAM users can have different rights (defined through IAM policies) to perform actions on resources.

List the users of an Organization. By default, the users listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request. You can also define additional parameters for your query such as user_ids.

GET
/iam/v1alpha1/users
Query Parameters

order_by
string
Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, email_asc, email_desc, last_login_asc and last_login_desc. The default value is created_at_asc.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater or equal to 1. The default value is 1.

organization_id
required string
ID of the Organization to filter.

user_ids
array
Filter by list of IDs.
200 Response

users
array
List of users.

total_count
integer
Total count of users.
Response Example

Retrieve information about a user, specified by the user_id parameter. The user's full details, including id, email, organization_id, status and two_factor_enabled are returned in the response.

GET
/iam/v1alpha1/users/{user_id}
Path Parameters

user_id
required string
ID of the user to find.
200 Response

id
string
ID of user.

email
string
Email of user.

created_at
nullable string
Date user was created. (RFC 3339 format).

updated_at
nullable string
Date of last user update. (RFC 3339 format).

organization_id
string
ID of the Organization.

deletable
boolean
Deletion status of user. Owners cannot be deleted.

last_login_at
nullable string
Date of the last login. (RFC 3339 format).

type
string
Type of user. Possible values are unknown_type, guest and owner. The default value is unknown_type.

two_factor_enabled
boolean
Whether MFA is enabled.

status
string
Status of user invitation. Possible values are unknown_status, invitation_pending and activated. The default value is unknown_status.
Response Example

Remove a user from an Organization in which they are a guest. You must define the user_id in your request. Note that removing a user from an Organization automatically deletes their API keys, and any policies directly attached to them become orphaned.

DELETE
/iam/v1alpha1/users/{user_id}
Path Parameters

user_id
required string
ID of the user to delete.
204 Response

Empty response

An application (also known as an IAM application) is a non-human user in a Scaleway Organization. IAM applications may be used when you want to create an API key that is not linked to a user, to give programmatic access to resources.

Note that applications cannot, by definition, have access to the Scaleway console, as they have only an API key and no account themselves (they are not accounts).

List the applications of an Organization. By default, the applications listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request. You can also define additional parameters for your query such as application_ids.

GET
/iam/v1alpha1/applications
Query Parameters

order_by
string
Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc, updated_at_desc, name_asc and name_desc. The default value is created_at_asc.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater than 1. The default value is 1.

name
string
Name of the application to filter.

organization_id
required string
ID of the Organization to filter.

editable
boolean
Whether to filter out editable applications or not.

application_ids
array
Filter by list of IDs.
200 Response

applications
array
List of applications.

total_count
integer
Total count of applications.
Response Example

Create a new application. You must define the name parameter in the request.

POST
/iam/v1alpha1/applications
Body

name
required string
Name of the application to create (max length is 64 characters).

organization_id
string
ID of the Organization.

description
string
Description of the application (max length is 200 characters).
Request Example
200 Response

id
string
ID of the application.

name
string
Name of the application.

description
string
Description of the application.

created_at
nullable string
Date and time application was created. (RFC 3339 format).

updated_at
nullable string
Date and time of last application update. (RFC 3339 format).

organization_id
string
ID of the Organization.

editable
boolean
Whether or not the application is editable.

nb_api_keys
integer
Number of API keys attributed to the application.
Response Example

Retrieve information about an application, specified by the application_id parameter. The application's full details, including id, email, organization_id, status and two_factor_enabled are returned in the response.

GET
/iam/v1alpha1/applications/{application_id}
Path Parameters

application_id
required string
ID of the application to find.
200 Response

id
string
ID of the application.

name
string
Name of the application.

description
string
Description of the application.

created_at
nullable string
Date and time application was created. (RFC 3339 format).

updated_at
nullable string
Date and time of last application update. (RFC 3339 format).

organization_id
string
ID of the Organization.

editable
boolean
Whether or not the application is editable.

nb_api_keys
integer
Number of API keys attributed to the application.
Response Example

Update the parameters of an application, including name and description.

PATCH
/iam/v1alpha1/applications/{application_id}
Path Parameters

application_id
required string
ID of the application to update.
Body

name
nullable string
New name for the application (max length is 64 chars).

description
nullable string
New description for the application (max length is 200 chars).
Request Example
200 Response

id
string
ID of the application.

name
string
Name of the application.

description
string
Description of the application.

created_at
nullable string
Date and time application was created. (RFC 3339 format).

updated_at
nullable string
Date and time of last application update. (RFC 3339 format).

organization_id
string
ID of the Organization.

editable
boolean
Whether or not the application is editable.

nb_api_keys
integer
Number of API keys attributed to the application.
Response Example

Delete an application. Note that this action is irreversible and will automatically delete the application's API keys. Policies attached to users and applications via this group will no longer apply.

DELETE
/iam/v1alpha1/applications/{application_id}
Path Parameters

application_id
required string
ID of the application to delete.
204 Response

Empty response

Policies control user rights, by defining one or more rules to apply to the attached principals (users, groups or applications). A policy rule has two parts:\ permission set and scope.

For each policy rule, you specify one or more permission sets (eg. “list all Instances”) and their scope (eg. “on Project A only”). This therefore defines the actions that the principles can carry out on resources within the scope.

List the policies of an Organization. By default, the policies listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request. You can also define additional parameters to filter your query, such as user_ids, groups_ids, application_ids, and policy_name.

GET
/iam/v1alpha1/policies
Query Parameters

order_by
string
Criteria for sorting results. Possible values are policy_name_asc, policy_name_desc, created_at_asc and created_at_desc. The default value is created_at_asc.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater than 1. The default value is 1.

organization_id
required string
ID of the Organization to filter.

editable
boolean
Whether or not filter out editable policies.

user_ids
array
Whether or not to filter by list of user IDs.

group_ids
array
Whether or not to filter by list of group IDs.

application_ids
array
Filter by a list of application IDs.

no_principal
boolean
Whether or not the policy is attributed to a principal.

policy_name
string
Name of the policy to fetch.
200 Response

policies
array
List of policies.

total_count
integer
Total count of policies.
Response Example

Create a new application. You must define the name parameter in the request. You can specify parameters such as user_id, groups_id, application_id, no_principal, rules and its child attributes.

POST
/iam/v1alpha1/policies
Body

name
required string
Name of the policy to create (max length is 64 characters).

description
string
Description of the policy to create (max length is 200 characters).

organization_id
string
ID of the Organization.

rules
array
Rules of the policy to create.

user_id
string
ID of user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id
string
ID of group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id
string
ID of application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal
boolean
Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.
Request Example
200 Response

id
string
Id of the policy.

name
string
Name of the policy.

description
string
Description of the policy.

organization_id
string
Organization ID of the policy.

created_at
nullable string
Date and time of policy creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last policy update. (RFC 3339 format).

editable
boolean
Whether or not a policy is editable.

nb_rules
integer
Number of rules of the policy.

nb_scopes
integer
Number of policy scopes.

nb_permission_sets
integer
Number of permission sets of the policy.

user_id
string
ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id
string
ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id
string
ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal
boolean
Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.
Response Example

Retrieve information about a policy, speficified by the policy_id parameter. The policy's full details, including id, name, organization_id, nb_rules and nb_scopes, nb_permission_sets are returned in the response.

GET
/iam/v1alpha1/policies/{policy_id}
Path Parameters

policy_id
required string
Id of policy to search.
200 Response

id
string
Id of the policy.

name
string
Name of the policy.

description
string
Description of the policy.

organization_id
string
Organization ID of the policy.

created_at
nullable string
Date and time of policy creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last policy update. (RFC 3339 format).

editable
boolean
Whether or not a policy is editable.

nb_rules
integer
Number of rules of the policy.

nb_scopes
integer
Number of policy scopes.

nb_permission_sets
integer
Number of permission sets of the policy.

user_id
string
ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id
string
ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id
string
ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal
boolean
Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.
Response Example

Update the parameters of a policy, including name, description, user_id, group_id, application_id and no_principal.

PATCH
/iam/v1alpha1/policies/{policy_id}
Path Parameters

policy_id
required string
Id of policy to update.
Body

name
nullable string
New name for the policy (max length is 64 characters).

description
nullable string
New description of policy (max length is 200 characters).

user_id
nullable string
New ID of user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id
nullable string
New ID of group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id
nullable string
New ID of application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal
nullable boolean
Whether or not the policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.
Request Example
200 Response

id
string
Id of the policy.

name
string
Name of the policy.

description
string
Description of the policy.

organization_id
string
Organization ID of the policy.

created_at
nullable string
Date and time of policy creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last policy update. (RFC 3339 format).

editable
boolean
Whether or not a policy is editable.

nb_rules
integer
Number of rules of the policy.

nb_scopes
integer
Number of policy scopes.

nb_permission_sets
integer
Number of permission sets of the policy.

user_id
string
ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id
string
ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id
string
ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal
boolean
Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.
Response Example

Delete a policy. You must define specify the policy_id parameter in your request. Note that when deleting a policy, all permissions it gives to its principal (user, group or application) will be revoked.

DELETE
/iam/v1alpha1/policies/{policy_id}
Path Parameters

policy_id
required string
Id of policy to delete.
204 Response

Empty response

Clone a policy. You must define specify the policy_id parameter in your request.

POST
/iam/v1alpha1/policies/{policy_id}/clone
Path Parameters

policy_id
required string
Body

Request Example
200 Response

id
string
Id of the policy.

name
string
Name of the policy.

description
string
Description of the policy.

organization_id
string
Organization ID of the policy.

created_at
nullable string
Date and time of policy creation. (RFC 3339 format).

updated_at
nullable string
Date and time of last policy update. (RFC 3339 format).

editable
boolean
Whether or not a policy is editable.

nb_rules
integer
Number of rules of the policy.

nb_scopes
integer
Number of policy scopes.

nb_permission_sets
integer
Number of permission sets of the policy.

user_id
string
ID of the user attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

group_id
string
ID of the group attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

application_id
string
ID of the application attributed to the policy. Only one of user_id, group_id, application_id and no_principal may be set.

no_principal
boolean
Whether or not a policy is attributed to a principal. Only one of user_id, group_id, application_id and no_principal may be set.
Response Example

A rule (also known as an IAM rule) is the part of a policy that defines the permissions of the policy's principal, and the scope of these permissions. A policy can have one or many rules. Each rule consists of:\

  1. A scope, which defines where the permission sets should apply. At Scaleway, a scope can be at Project or Organization level.
  • Projects group your Scaleway resources (eg. Instances, Object Storage buckets, Managed Databases etc.) together. An Organization may have many Projects, or just one default Project. If you choose to define scope at Project level, you can select one, many, or all Projects. When you then define the permission sets for this scope, you can give access to different resources within the Project(s).
  • An Organization is made of one or several Projects. Billing, IAM, Project management and support are all managed at Organization level, so choose the Organization scope to give access to these features.
  1. One or more permission sets (eg. "list all Instances"). A permission set consists of one or multiple permissions to perform actions on resources or features. Each permission set has a clear description, e.g. InstancesFullAccess, InstancesReadOnly, RelationalDatabasesFullAccess, BillingReadOnly.

List the rules of a given policy. By default, the rules listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the policy_id in the query path of your request.

GET
/iam/v1alpha1/rules
Query Parameters

policy_id
required string
Id of policy to search.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater than 1. The default value is 1.
200 Response

rules
array
Rules of the policy.

total_count
integer
Total count of rules.
Response Example

Overwrite the rules of a given policy. Any information that you add using this command will overwrite the previous configuration. If you include some of the rules you already had in your previous configuration in your new one, but you change their order, the new order of display will apply. While policy rules are ordered, they have no impact on the access logic of IAM because rules are allow-only.

PUT
/iam/v1alpha1/rules
Body

policy_id
required string
Id of policy to update.

rules
required array
Rules of the policy to set.
Request Example
200 Response

rules
array
Rules of the policy.
Response Example

Permission sets are the main components of IAM rules. They consist of sets of one or multiple permissions.

Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called:\ InstancesFullAccess.

Permissions sets (eg.InstanceReadAccess) and their scope (eg. "on Project A only") make up IAM rules, which define the access rights that a principal (user, group or application) should have.

List permission sets available for given Organization. You must define the organization_id in the query path of your request.

GET
/iam/v1alpha1/permission-sets
Query Parameters

order_by
string
Criteria for sorting results. Possible values are name_asc, name_desc, created_at_asc and created_at_desc. The default value is created_at_asc.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater than 1. The default value is 1.

organization_id
required string
Filter by Organization ID.
200 Response

permission_sets
array
List of permission sets.

total_count
integer
Total count of permission sets.
Response Example

Every Scaleway Organization detains a certain number of resource quotas, which are limits on the number of Scaleway resources these Organizations can use.

List all product and features quota for an Organization, with their associated limits. By default, the quota listed are ordered by creation date in ascending order. This can be modified via the order_by field. You must define the organization_id in the query path of your request.

GET
/iam/v1alpha1/quota
Query Parameters

order_by
string
Criteria for sorting results. Possible values are name_asc and name_desc. The default value is name_asc.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater than 1. The default value is 1.

organization_id
required string
Filter by Organization ID.
200 Response

quota
array
List of quota.

total_count
integer
Total count of quota.
Response Example

Retrieve information about a resource quota, speficified by the quotum_name parameter. The quota's limit, or whether it is unlimited, is returned in the response.

GET
/iam/v1alpha1/quota/{quotum_name}
Path Parameters

quotum_name
required string
Name of the quota to get.
Query Parameters

organization_id
required string
ID of the Organization.
200 Response

name
string
Name of the quota.

limit
integer
Maximum limit of the quota. Only one of limit and unlimited may be set.

unlimited
boolean
Whether or not the quota is unlimited. Only one of limit and unlimited may be set.
Response Example
GET
/iam/v1alpha1/jwts
Query Parameters

order_by
string
Criteria for sorting results. Possible values are created_at_asc, created_at_desc, updated_at_asc and updated_at_desc. The default value is created_at_asc.

audience_id
required string
ID of the user to search.

page_size
integer
Number of results per page. Value must be between 1 and 100. The default value is 20.

page
integer
Page number. Value must be greater to 1. The default value is 1.

expired
boolean
Filter out expired JWTs or not.
200 Response

jwts
array

total_count
integer
Response Example
GET
/iam/v1alpha1/jwts/{jti}
Path Parameters

jti
required string
JWT ID of the JWT to get.
200 Response

jti
string
JWT ID.

issuer_id
string
ID of the user who issued the JWT.

audience_id
string
ID of the user targeted by the JWT.

created_at
nullable string
Creation date of the JWT. (RFC 3339 format).

updated_at
nullable string
Last update date of the JWT. (RFC 3339 format).

expires_at
nullable string
Expiration date of the JWT. (RFC 3339 format).

ip
string
IP address used during the creation of the JWT. (IP address).

user_agent
string
User-agent used during the creation of the JWT.
Response Example
DELETE
/iam/v1alpha1/jwts/{jti}
Path Parameters

jti
required string
JWT ID of the JWT to delete.
204 Response

Empty response