Identity and Access Management
Securing access to your Scaleway account and resources is essential. Not all users, programs and scripts should have access to all aspects of your Organization. There are many risks that can affect your Organization: credentials can get leaked, or obtained through malicious activity, and some undesired actions may be performed accidentally.
IAM enables you to reduce these risks, and ensures that users in your Organization have access only to the resources they need.
IAM is free and available to all Scaleway users.
With IAM you can manage access for each Scaleway product, but at the Project level only. Some products implement their own access with the possibility to manage access at the resource level, such as SSH keys for Elastic Metal, Instances and Apple silicon.
IAM enables you to manage access control to all Scaleway products.
The API keys you have created before migrating to IAM will maintain the same rights after migration. However, API keys will from now on be attached to IAM applications, leaving IAM users without any API keys directly attached to themselves.
You may decide yourself whether to leave these automatically-created IAM applications and policies in place, edit the policies to change permissions as required, or generate new API keys for individual users to define rights per-user via the creation of new policies for those users.
For more information refer to the IAM Migration reference documentation page.
The users that joined your Organization before IAM will keep the same rights after migration, based on the roles they had.
Any Scaleway users who were members of an Organization pre-IAM will be automatically become IAM users in that Organization. In addition, three groups will be automatically created in each Organization. The groups are as follows:
- Administrators (mapping to the Administrator role)
- Billing Administrators (mapping to the Billing Administrator role)
- Editors (mapping to the Editor role)
For each group, a corresponding policy has been created, defining rules that give the same rights that their roles gave prior to the introduction of IAM.
Applications represent the identity of non-human users (such as a CI pipeline, a custom script, or a Terraform provider). They are used to attach permissions and API keys to these operations - without being linked to specific users and their own rights.
Due to limitations on the Object Storage API, API keys cannot perform Object Storage actions on several projects at the same time. Whenever you generate an API key that will be used on Object Storage, you must specify a preferred project where the API key will be able to perform actions. For more information refer to the Using IAM API keys with Object Storage documentation page.
Currently only FullAccess and ReadOnly permission sets are available for most Scaleway resources. More permission sets that allow finer-grained actions will be released in the upcoming months.
API keys are credentials that grant access to resources in Scaleway Organizations. Like any credential, it is good practice to change them on a regular basis to reduce the risk of security breaches. To change your API key, you can generate a new one for your user and/or application and delete the old API key.