Jump toUpdate content

Identity and Access Management

Discover Scaleway's Identity and Access Management system.

Why do I need Identity and Access Management (IAM) features?

Securing access to your Scaleway account and resources is essential. Not all users, programs and scripts should have access to all aspects of your Organization. There are many risks that can affect your Organization: credentials can get leaked, or obtained through malicious activity, and some undesired actions may be performed accidentally.

IAM enables you to reduce these risks, and ensures that users in your Organization have access only to the resources they need.

Do I have to pay for IAM?

IAM is free and available to all Scaleway users.

Can I manage access at the resource level?

With IAM you can manage access for each Scaleway product, but at the Project level only. Some products implement their own access with the possibility to manage access at the resource level, such as SSH keys for Elastic Metal, Instances and Apple silicon.

Which products work with IAM?

IAM enables you to manage access control to all Scaleway products.

What will happen to the API keys I created before IAM?

The API keys you have created before migrating to IAM will maintain the same rights after migration. However, API keys will from now on be attached to IAM applications, leaving IAM users without any API keys directly attached to themselves.

You may decide yourself whether to leave these automatically-created IAM applications and policies in place, edit the policies to change permissions as required, or generate new API keys for individual users to define rights per-user via the creation of new policies for those users.

For more information refer to the IAM Migration reference documentation page.

What will happen to the users who joined my Organization before IAM?

The users that joined your Organization before IAM will keep the same rights after migration, based on the roles they had.

Any Scaleway users who were members of an Organization pre-IAM will be automatically become IAM users in that Organization. In addition, three groups will be automatically created in each Organization. The groups are as follows:

  • Administrators (mapping to the Administrator role)
  • Billing Administrators (mapping to the Billing Administrator role)
  • Editors (mapping to the Editor role)

For each group, a corresponding policy has been created, defining rules that give the same rights that their roles gave prior to the introduction of IAM.

What are applications and why do I need them?

Applications represent the identity of non-human users (such as a CI pipeline, a custom script, or a Terraform provider). They are used to attach permissions and API keys to these operations - without being linked to specific users and their own rights.

Is IAM activation optional?

IAM will soon become the access manager integrated by default in all Scaleway accounts. In order to ensure a smooth migration, IAM integration will be optional for a few weeks. Training sessions will be delivered by our product team during this period of time to encourage proactive migration from our users. Past this period, IAM will be activated on all Scaleway accounts.

Note:

For Scaleway accounts created from the 5 December 2022 onward, IAM will be activated automatically upon creation.

Can I switch from IAM back to the former role system?

No, IAM activation is definitive.

Why do I have to select a preferred Project for Object Storage when I create an API key?

Due to limitations on the Object Storage API, API keys cannot perform Object Storage actions on several projects at the same time. Whenever you generate an API key that will be used on Object Storage, you must specify a preferred project where the API key will be able to perform actions. For more information refer to the Using IAM API keys with Object Storage documentation page.

Can I activate IAM for an Organization of which I am not the Owner?

Only the Owner of an Organization can activate IAM. In the members list of the Scaleway console you can check who is the owner of your Organization.

How can I set up a permission set more fine grained than ReadOnly or FullAccess (e.g. WriteOnly)?

Currently only FullAccess and ReadOnly permission sets are available for most Scaleway resources. More permission sets that allow finer-grained actions will be released in the upcoming months.

Why and how should I rotate API keys?

API keys are credentials that grant access to resources in Scaleway Organizations. Like any credential, it is good practice to change them on a regular basis to reduce the risk of security breaches. To change your API key, you can generate a new one for your user and/or application and delete the old API key.