IAM API

Identity and Access Management (IAM) allows you to share access to the management of your Scaleway resources and Organization settings, in a controlled and secure manner. With IAM, you can invite other users to your Organization, as well as create IAM applications which represent non-human users with their own API keys. You define permissions for users and applications in your Organization via highly customizable policies. Policies let you specify exactly what rights users and applications (or groups of users and applications) should have within your Organization.

Concepts

Refer to our dedicated IAM concepts pageOpen in new context to find definitions of the different terms referring to IAM.

Quickstart

Configure your environment variables.

Code
export ACCESS_KEY="<access-key>"
export SECRET_KEY="<secret-key>"
export REGION="<region>"

Create an application. Replace the parameter values in the request payload with the details of your new application.

Note

The UUIDs used in the following code examples are not real

Code
curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" https://api.scaleway.com/iam/v1alpha1/applications \
  -d '{
    "name": "prod1",
    "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1",
    "description": "this is my new application"
    }'

Parameter	Description
`name`	REQUIRED The name of your new application
`organization_id`	The ID of your Scaleway Organization
`description`	The description of your application

Retrieve your application ID from the response.


Code
{
  "id": "950dde46-5cba-427d-a4f5-ce5a8a79717c",
  "name": "prod1",
  "description": "this is my new application",
  "created_at": "2023-03-08T12:34:56.123456Z",
  "updated_at": "2023-03-08T12:34:56.123456Z",
  "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1",
  "editable": "true",
  "nb_api_keys": "0"
}

Create a policy. Replace the parameter values in the request payload with the details of your new application, including the application ID retrieved in the previous step.

Code
curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" https://api.scaleway.com/iam/v1alpha1/policies \
  -d '{
  "name": "policy-prod1",
  "description": "This policy grants full access to IAM in my Organization to application prod1",
  "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1",
  "rules": [
    {
      "permission_set_names": [
        "IAMManager"
      ],
      "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1"
    }
  ],
  "application_id": "950dde46-5cba-427d-a4f5-ce5a8a79717c"
}'

Parameter	Description
`name`	REQUIRED The name of your new application
`description`	The description of your policy
`organization_id`	The ID of your Scaleway Organization
`rules`	The rulesOpen in new context of your policy
`permission_set_names`	The permission sets you want to grant. You can either list all permission sets or find a complete list in the permission sets documentation pageOpen in new context
`organization_id`	The ID of the Scaleway Organization where you want your permission sets to apply. You can add one as the scopeOpen in new context of your policy
`application_id`	The ID of your application

Note

To learn more about IAM policies, refer to our dedicated IAM policies reference pageOpen in new context.

Create an API key for your application.

Code
curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" https://api.scaleway.com/iam/v1alpha1/api-keys \
  -d '{
    "application_id": "950dde46-5cba-427d-a4f5-ce5a8a79717c",
    "expires_at": "2023-12-22T12:34:56.123456Z",
    "default_project_id": "2aeadddc-c589-4784-8ef5-fae989a4bac8",
    "description": "This is an API key for prod1"
  }'

Parameter	Description
`application_id`	The ID of your application
`expires_at`	OPTIONAL The expiration date of your API key
`default_project_id`	OPTIONAL The Project ID of your preferred Project, to use with Object Storage. If no Project ID is specified, the default project is used. Refer to the Using API Keys with Object Storage documentation pageOpen in new context
`description`	The description of your API key

Retrieve your access and secret keys from the response.
Note
The secret key is only showed once. Make sure that you copy and store both keys somewhere safe.
You can now have an IAM configuration fully set up and can begin working on your Scaleway projects.

Requirement

To perform the following steps, you must first ensure that: - you have an account and are logged into the Scaleway consoleOpen in new context - you have created an API keyOpen in new context and that the API key has sufficient IAM permissionsOpen in new context to perform the actions described on this page. - you have installed curlOpen in new context

Technical Limitations

Currently, IAM users cannot be created within Scaleway Organizations, they can only be invited to join them. Refer to the Users, groups and applications reference pageOpen in new context to learn more about users.
Access management at resource level is not yet available. You can currently scope the permission sets to a Project or to an Organization. Refer to the Permission sets reference pageOpen in new context to learn more about permission sets.
Explicit deny permissions are not yet available. You can currently only explicitly allow access to different products or Organization management features.

Going Further

For more information about IAM, you can check out the following pages:

Concepts

Refer to our dedicated IAM concepts pageOpen in new context to find definitions of the different terms referring to IAM.

Quickstart

Configure your environment variables.

Code
export ACCESS_KEY="<access-key>"
export SECRET_KEY="<secret-key>"
export REGION="<region>"

Create an application. Replace the parameter values in the request payload with the details of your new application.

Note

The UUIDs used in the following code examples are not real

Code
curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" https://api.scaleway.com/iam/v1alpha1/applications \
  -d '{
    "name": "prod1",
    "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1",
    "description": "this is my new application"
    }'

Parameter	Description
`name`	REQUIRED The name of your new application
`organization_id`	The ID of your Scaleway Organization
`description`	The description of your application

Retrieve your application ID from the response.


Code
{
  "id": "950dde46-5cba-427d-a4f5-ce5a8a79717c",
  "name": "prod1",
  "description": "this is my new application",
  "created_at": "2023-03-08T12:34:56.123456Z",
  "updated_at": "2023-03-08T12:34:56.123456Z",
  "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1",
  "editable": "true",
  "nb_api_keys": "0"
}

Create a policy. Replace the parameter values in the request payload with the details of your new application, including the application ID retrieved in the previous step.

Code
curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" https://api.scaleway.com/iam/v1alpha1/policies \
  -d '{
  "name": "policy-prod1",
  "description": "This policy grants full access to IAM in my Organization to application prod1",
  "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1",
  "rules": [
    {
      "permission_set_names": [
        "IAMManager"
      ],
      "organization_id": "c6842bac-7938-4c04-9e03-f48147eee1f1"
    }
  ],
  "application_id": "950dde46-5cba-427d-a4f5-ce5a8a79717c"
}'

Parameter	Description
`name`	REQUIRED The name of your new application
`description`	The description of your policy
`organization_id`	The ID of your Scaleway Organization
`rules`	The rulesOpen in new context of your policy
`permission_set_names`	The permission sets you want to grant. You can either list all permission sets or find a complete list in the permission sets documentation pageOpen in new context
`organization_id`	The ID of the Scaleway Organization where you want your permission sets to apply. You can add one as the scopeOpen in new context of your policy
`application_id`	The ID of your application

Note

To learn more about IAM policies, refer to our dedicated IAM policies reference pageOpen in new context.

Create an API key for your application.

Code
curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" https://api.scaleway.com/iam/v1alpha1/api-keys \
  -d '{
    "application_id": "950dde46-5cba-427d-a4f5-ce5a8a79717c",
    "expires_at": "2023-12-22T12:34:56.123456Z",
    "default_project_id": "2aeadddc-c589-4784-8ef5-fae989a4bac8",
    "description": "This is an API key for prod1"
  }'

Parameter	Description
`application_id`	The ID of your application
`expires_at`	OPTIONAL The expiration date of your API key
`default_project_id`	OPTIONAL The Project ID of your preferred Project, to use with Object Storage. If no Project ID is specified, the default project is used. Refer to the Using API Keys with Object Storage documentation pageOpen in new context
`description`	The description of your API key

Retrieve your access and secret keys from the response.
Note
The secret key is only showed once. Make sure that you copy and store both keys somewhere safe.
You can now have an IAM configuration fully set up and can begin working on your Scaleway projects.

Requirement

Technical Limitations

Currently, IAM users cannot be created within Scaleway Organizations, they can only be invited to join them. Refer to the Users, groups and applications reference pageOpen in new context to learn more about users.
Access management at resource level is not yet available. You can currently scope the permission sets to a Project or to an Organization. Refer to the Permission sets reference pageOpen in new context to learn more about permission sets.
Explicit deny permissions are not yet available. You can currently only explicitly allow access to different products or Organization management features.

Going Further

For more information about IAM, you can check out the following pages: