How to create an IAM policy

Reviewed on January 02, 2025

An IAM policy is used to define the permissions of users, groups, and applications in a given Organization. A policy is composed of a principal (the user, group, or application to which it applies) and one or more IAM rules (which describe the permission sets the principal should have, and the scope of those permission sets).

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization

Click IAM & API keys on the top-right drop-down menu of the Scaleway console. The Users tab of the Identity and Access Management dashboard displays.
Click the Policies tab. A list of the Organization's existing policies displays:
Click Create policy. The creation wizard displays:
Complete the steps on the first page of the creation wizard:
- Enter a name for the policy,
- Add a tag (optional),
Note
Tags are key/value pairs that help you organize your users. Keep in mind that:

You can assign up to 10 tags per user

Tag values must be between 1 and 70 characters long, including key and value

The same tag cannot be used twice
- Enter a description (optional),
- Select a principal, who will be the target of your policy. The principal should be the user, application, or group who you want to grant specific permissions to through this policy.
Important
You can choose to create a policy without a principal for now, and attach the principal later. Be aware that the policy will have no effect until a principal is attached. A policy can only be attached to one principal at a time.
Click Add rules to progress to the next part of the policy creation wizard.

Tip
Rules define the actions that the attached principal will be able to carry out within the Organization. When creating a rule, you first set the scope of the rule, and then select the permission sets to apply within the scope. You can optionally set up conditions for your rule. See our dedicated documentation for more help with policies, rules, scopes and permission sets.
Select a scope for the rule:
- To give the principal permissions to view, create, edit and/or delete resources, select the Access to resources scope. Then, select the Project in which you want the permissions to apply. You can select from all current and future Projects, all current Projects or select specific Projects.
- To give the principal permissions to Organization-level features such as IAM, billing, support & abuse tickets and project management, select the Access to Organization features scope.
Click Validate to continue.
Choose the permission sets for the rule by selecting the required boxes. You can select as many permission sets as you like. The principal will have the rights defined in these permission sets within the scope you set in step 6. See our dedicated documentation for more help with permission sets.
Click Validate.
(Optional) Click + Add new to add one or more conditions. You can allow access to specific user agents or IP addresses, and allow actions to be performed only at certain dates and times.

Tip
Refer to the Understanding policy conditions documentation page for more details about how to write condition expressions, as well as examples of conditions.
Click Validate. The rule, with its scope and permission sets, is added to the list of the policy's rules.
Click Add new rule and repeat steps 6 to 8 as many times as required to add multiple rules to your policy.

Tip
You can delete delete icon or edit edit icon an existing rule by clicking the relevant button in the top right corner of the rule's summary.
Click Create policy to finish.

You are returned to the Policies tab, where the newly-created policy now appears in the list.

Note
The application of Object Storage permissions can take up to 5 minutes.