Identity and Access Management

Why do I need Identity and Access Management (IAM) features?

Securing access to your Scaleway account and resources is essential. Not all users, programs, and scripts should have access to all aspects of your Organization. There are many risks that can affect your Organization: credentials can get leaked, or obtained through malicious activity, and some undesired actions may be performed accidentally.

IAM enables you to reduce these risks, and ensures that users in your Organization have access only to the resources they need.

Do I have to pay for IAM?

No. IAM is free and available to all Scaleway users.

Can I manage access at the resource level?

With IAM you can manage access for each Scaleway product, but at the Project level only. Some products implement their own access with the possibility to manage access at the resource level, such as SSH keys for Elastic Metal, Instances, and Apple silicon.

Which products work with IAM?

IAM enables you to manage access control to all Scaleway products.

What will happen to the API keys I created before IAM?

The API keys you have created before migrating to IAM will maintain the same rights after migration. However, API keys will from now on be attached to IAM applications, leaving IAM users without any API keys directly attached to themselves.

You may decide yourself whether to leave these automatically-created IAM applications and policies in place, edit the policies to change permissions as required, or generate new API keys for individual users to define rights per-user via the creation of new policies for those users.

For more information, refer to the IAM Migration reference documentation page.

What will happen to the users who joined my Organization before IAM?

The users that joined your Organization before IAM will keep the same rights after migration, based on the roles they had.

Any Scaleway users who were members of an Organization pre-IAM will be automatically become IAM users in that Organization. In addition, three groups will be automatically created in each Organization. The groups are as follows:

Administrators (mapping to the Administrator role)
Billing Administrators (mapping to the Billing Administrator role)
Editors (mapping to the Editor role)

For each group, a corresponding policy has been created, defining rules that give the same rights that their roles gave prior to the introduction of IAM.

What are applications, and why do I need them?

Applications represent the identity of non-human users (such as a CI pipeline, a custom script, or a Terraform provider). They are used to attach permissions and API keys to these operations - without being linked to specific users and their own rights.

Why do I have to select a preferred Project for Object Storage when I create an API key?

Due to limitations on the Object Storage API, API keys cannot perform Object Storage actions on several projects at the same time. Whenever you generate an API key that will be used on Object Storage, you must specify a preferred project where the API key will be able to perform actions. For more information, refer to the Using IAM API keys with Object Storage documentation page.

Why and how should I rotate API keys?

API keys are credentials that grant access to resources in Scaleway Organizations. It is good practice to change your credentials on a regular basis to reduce the risk of security breaches. To change your API key, you can generate a new one for your user and/or application and delete the old API key.