Jump toUpdate content
Permission sets
Permissions sets and their scope make up IAM rules, which define the access rights that a principal (user, group or application) should have. They consist of sets of one or multiple permissions.
Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called: InstancesFullAccess.
Below is a list of the permission sets available at Scaleway.
Scoped by Organization
| Permission set | Description |
|---|---|
| ProjectManager | Full access to Project management. This means access to create, rename, list and delete projects. It does not include access to Project resources |
| ProjectReadOnly | Read access to Project management. Does not include access to Project resources |
| IAMReadOnly | Read access to IAM. This means list and read access to users, groups, applications, policies, and API keys |
| IAMManager | Full access to IAM. This means access to all possible actions for users, groups, applications, policies and API keys) and all ProjectManager permissions |
| BillingReadOnly | List and read access to billing information |
| BillingManager | Full access to billing management. This means access to list, read and edit billing contact information, payment information, billing alerts and invoices |
| OrganizationManager | Full access to Organization management. This means access to all possible actions for Projects, IAM, billing and support/abuse tickets. Does not include access to list and create resources. |
| OrganizationReadOnly | Read access to the Organization’s general information (e.g. Organization ID and quotas) |
| SupportTicketManager | Full access to support tickets. This means access to create, read and update support tickets in the Organization |
| SupportTicketReadOnly | List and read access to support tickets |
| AbuseTicketManager | Full access to abuse tickets. This means access to create, read and update abuse tickets in the Organization |
Important:
Any user or application benefitting from the IAMManager and/or OrganizationManager permission sets is able to create policies giving themselves access to any other actions and resources within the Organization.
Scoped by Project
| Permission set | Description |
|---|---|
| AllProductsFullAccess | Full access to create, read, list, edit and delete all resources (products) |
| AllProductsReadOnly | Read access to list and read info for all resources (products) |
| SSHKeysReadOnly | Read access to SSH keys |
| SSHKeysFullAccess | Full access to SSH keys |
| AppleSiliconReadOnly | List and read access to Apple Silicon |
| AppleSiliconFullAccess | Full access to create, read, list, edit and delete Apple Silicon. |
| ElasticMetalReadOnly | List and read access to Elastic Metal |
| ElasticMetalFullAccess | Full access to create, read, list, edit and delete Elastic Metal |
| InstancesFullAccess | Full access to create, read, list, edit and delete Instances |
| InstancesReadOnly | List and read access to Instances |
| KubernetesReadOnly | List and read access to Kubernetes |
| KubernetesFullAccess | Full access to create, read, list, edit and delete Kubernetes |
| KubernetesExternalNodeRegister | Attach external nodes to a Kosmos cluster |
| DediboxReadOnly | List and read access to Dedibox |
| DediboxFullAccess | Full access to create, read, list, edit and delete Dedibox |
| ContainersReadOnly | List and read access to Containers |
| ContainersFullAccess | Full access to create, read, list, edit and delete to Containers |
| FunctionsReadOnly | List and read access to Functions |
| FunctionsFullAccess | Full access to create, read, list, edit and delete Functions |
| MessagingAndQueuingReadOnly | List and read access to Messaging |
| MessagingAndQueuingFullAccess | Full access to create, read, list, edit and delete Messaging |
| RelationalDatabasesReadOnly | List and read access to Managed Database for PostgreSQL and MySQL |
| RelationalDatabasesFullAccess | Full access to create, read, list, edit and delete Managed Database for PostgreSQL and MySQL |
| ObjectStorageReadOnly | List and read access to Object Storage |
| ObjectStorageFullAccess | Full access to create, read, list, edit and delete Object Storage |
| ObjectStorageObjectsRead | Read access to objects, tags, metadata and storage class |
| ObjectStorageBucketsRead | Read access to buckets and bucket configuration including lifecycle rules |
| ObjectStorageObjectsWrite | Access to create and edit objects, tags, metadata and storage class |
| ObjectStorageObjectsDelete | Access to delete objects |
| ObjectStorageBucketsWrite | Access to create and edit buckets, bucket configuration including lifecycle rules |
| ObjectStorageBucketsDelete | Access to delete buckets |
| RedisReadOnly | List and read access to Managed Database for Redisâ„¢ |
| RedisFullAccess | Full access to create, read, list, edit and delete Managed Database for Redisâ„¢ |
| PrivateNetworksFullAccess | Full access to create, read, list, edit and delete Private Networks |
| VPCGatewayReadOnly | List and read access to Public Gateways |
| VPCGatewayFullAccess | Full access to create, read, list, edit and delete Public Gateways |
| LoadBalancersReadOnly | List and read access to Load Balancer |
| LoadBalancersFullAccess | Full access to create, read, list, edit and delete Load Balancer |
| DomainsDNSReadOnly | List and read access to Domains and DNS |
| DomainsDNSFullAccess | Full access to create, read, list, edit and delete Domains and DNS |
| ContainerRegistryReadOnly | List and read access to Container Registry |
| ContainerRegistryFullAccess | Full access to create, read, list, edit and delete Container Registry |
| IoTReadOnly | List and read access to IoT Hub |
| IoTFullAccess | Full access to create, read, list, edit and delete IoT Hub |
| ObservabilityReadOnly | List and read access to Observability |
| ObservabilityFullAccess | Full access to create, read, list, edit and delete Observability |
| TransactionalEmailReadOnly | List and read access to Transactional Email |
| TransactionalEmailFullAccess | Full access to create, read, list, edit and delete Transactional Email |
| TransactionalEmailDomainReadOnly | Read access to domains in Transactional Email. Does not include permissions for e-mails |
| TransactionalEmailDomainFullAccess | Full access to domains in Transactional Email. Does not include permissions for e-mails |
| TransactionalEmailEmailReadOnly | Read access to e-mails in Transactional Email. Does not include permissions for domain configuration |
| TransactionalEmailEmailFullAccess | Full access to e-mails in Transactional Email. Does not include permissions for domain configuration |
| WebHostingReadOnly | List and read access to Web Hosting |
| WebHostingFullAccess | Full access to create, read, list, edit and delete Web Hosting |
| SecretManagerReadOnly | List and read secrets’ metadata (name, tags, creation date, etc.). Does not include permissions for data (versions) accessing or editing |
| SecretManagerFullAccess | Full access to create, read, list, edit and delete secrets in Secret Manager |
| SecretManagerSecretAccess | Full access to secrets’ metadata and data (versions) in Secret Manager. Does not include permissions for data editing |
| BlockStorageReadOnly | List and read access to Block Storage |
| BlockStorageFullAccess | Full access to create, read, list, edit and delete in Block Storage |
See Also