Any user or application benefitting from the IAMManager
and/or OrganizationManager
permission sets is able to create policies giving themselves access to any other actions and resources within the Organization.
Permission sets
Reviewed on 23 October 2024
Permissions sets and their scope make up IAM rules, which define the access rights that a principal (user, group or application) should have. They consist of sets of one or multiple permissions.
Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called: InstancesFullAccess
.
Below is a list of the permission sets available at Scaleway.
Scoped by Organization
Permission set | Description |
---|---|
ProjectManager | Full access to Project management. This means access to create, rename, list and delete projects. It does not include access to Project resources |
ProjectReadOnly | Read access to Project management. Does not include access to Project resources |
IAMReadOnly | Read access to IAM. This means list and read access to users, groups, applications, policies, and API keys |
IAMManager | Full access to IAM. This means access to all possible actions for users, groups, applications, policies and API keys) and all ProjectManager permissions |
BillingReadOnly | List and read access to billing information |
BillingManager | Full access to billing management. This means access to list, read and edit billing contact information, payment information, billing alerts and invoices |
OrganizationManager | Full access to Organization management. This means access to all possible actions for Projects, IAM, billing and support/abuse tickets. Does not include access to list and create resources |
OrganizationReadOnly | Read access to the Organization’s general information (e.g. Organization ID and quotas) |
SupportTicketManager | Full access to support tickets. This means access to create, read and update support tickets in the Organization |
SupportTicketReadOnly | List and read access to support tickets |
AbuseTicketManager | Full access to abuse tickets. This means access to create, read and update abuse tickets in the Organization |
AuditTrailReadOnly | List and read access to Audit Trail events |
Important
Scoped by Project
Permission set | Description |
---|---|
AllProductsFullAccess | Full access to create, read, list, edit and delete all resources (products) |
AllProductsReadOnly | Read access to list and read info for all resources (products) |
SSHKeysReadOnly | Read access to SSH keys |
SSHKeysFullAccess | Full access to SSH keys |
AppleSiliconReadOnly | List and read access to Apple Silicon |
AppleSiliconFullAccess | Full access to create, read, list, edit and delete Apple Silicon. |
ElasticMetalReadOnly | List and read access to Elastic Metal |
ElasticMetalFullAccess | Full access to create, read, list, edit and delete Elastic Metal |
InstancesFullAccess | Full access to create, read, list, edit and delete Instances |
InstancesReadOnly | List and read access to Instances |
KubernetesReadOnly | List and read access to Kubernetes |
KubernetesFullAccess | Full access to create, read, list, edit and delete Kubernetes |
KubernetesExternalNodeRegister | Attach external nodes to a Kosmos cluster |
KubernetesSystemMastersGroupAccess | Gives the Kubernetes system:masters role to perform any action on the cluster |
DediboxReadOnly | List and read access to Dedibox |
DediboxFullAccess | Full access to create, read, list, edit and delete Dedibox |
ContainersReadOnly | List and read access to Containers |
ContainersFullAccess | Full access to create, read, list, edit and delete to Containers |
FunctionsReadOnly | List and read access to Functions |
FunctionsFullAccess | Full access to create, read, list, edit and delete Functions |
MessagingAndQueuingReadOnly | List and read access to Messaging |
MessagingAndQueuingFullAccess | Full access to create, read, list, edit and delete Messaging |
ServerlessJobsFullAccess | Full access to create, read, list, edit and delete job definition/run |
ServerlessJobsReadOnly | List and read access to job definition/run |
ServerlessSQLDatabaseReadOnly | List and read access to Serverless SQL Database |
ServerlessSQLDatabaseReadWrite | List, read and write access to Serverless SQL Database. Includes data and table structure edition. Does not include permissions to create databases or edit settings |
ServerlessSQLDatabaseFullAccess | Full access to create, read, list, edit and delete Serverless SQL Database |
RelationalDatabasesReadOnly | List and read access to Managed Database for PostgreSQL and MySQL |
RelationalDatabasesFullAccess | Full access to create, read, list, edit and delete Managed Database for PostgreSQL and MySQL |
ObjectStorageReadOnly | List and read access to Object Storage |
ObjectStorageFullAccess | Full access to create, read, list, edit and delete Object Storage |
ObjectStorageObjectsRead | Read access to objects, tags, metadata, and storage class |
ObjectStorageBucketsRead | Read access to buckets and bucket configuration including lifecycle rules |
ObjectStorageObjectsWrite | Access to create and edit objects, tags, metadata, and storage class |
ObjectStorageObjectsDelete | Access to delete objects |
ObjectStorageBucketsWrite | Access to create and edit buckets, bucket configuration including lifecycle rules |
ObjectStorageBucketsDelete | Access to delete buckets |
RedisReadOnly | List and read access to Managed Database for Redis™ |
RedisFullAccess | Full access to create, read, list, edit and delete Managed Database for Redis™ |
PrivateNetworksFullAccess | Full access to create, read, list, edit and delete Private Networks |
VPCGatewayReadOnly | List and read access to Public Gateways |
VPCGatewayFullAccess | Full access to create, read, list, edit and delete Public Gateways |
VPCFullAccess | Full access to VPC |
VPCReadOnly | Read access to VPC |
AutoscalingFullAccess | Full access to autoscaling |
AutoscalingReadOnly | Read access to autoscaling |
EdgeServicesFullAccess | Full access to Edge Services |
EdgeServicesReadOnly | Read access to Edge Services |
IPAMFullAccess | Full access to IPAM |
IPAMReadOnly | Read access to IPAM |
LoadBalancersReadOnly | List and read access to Load Balancer |
LoadBalancersFullAccess | Full access to create, read, list, edit and delete Load Balancer |
DomainsDNSReadOnly | List and read access to Domains and DNS |
DomainsDNSFullAccess | Full access to create, read, list, edit and delete Domains and DNS |
ContainerRegistryReadOnly | List and read access to Container Registry |
ContainerRegistryFullAccess | Full access to create, read, list, edit and delete Container Registry |
IoTReadOnly | List and read access to IoT Hub |
IoTFullAccess | Full access to create, read, list, edit and delete IoT Hub |
ObservabilityReadOnly | List and read access to Observability |
ObservabilityFullAccess | Full access to create, read, list, edit and delete Observability |
TransactionalEmailReadOnly | List and read access to Transactional Email |
TransactionalEmailFullAccess | Full access to create, read, list, edit and delete Transactional Email |
TransactionalEmailDomainReadOnly | Read access to domains in Transactional Email. Does not include permissions for e-mails |
TransactionalEmailDomainFullAccess | Full access to domains in Transactional Email. Does not include permissions for e-mails |
TransactionalEmailEmailReadOnly | Read access to e-mails in Transactional Email. Does not include permissions for domain configuration |
TransactionalEmailEmailFullAccess | Full access to e-mails in Transactional Email. Does not include permissions for domain configuration |
TransactionalEmailWebhookFullAccess | Full access to Webhooks in Transactional Email |
TransactionalEmailWebhookReadOnly | Read access to Webhooks in Transactional Email |
TransactionalEmailProjectSettingsFullAccess | Full access to Project settings in Transactional Email |
TransactionalEmailProjectSettingsReadOnly | Read access to Project settings in Transactional Email |
WebHostingReadOnly | List and read access to Web Hosting |
WebHostingFullAccess | Full access to create, read, list, edit and delete Web Hosting |
SecretManagerReadOnly | List and read secrets’ metadata (name, tags, creation date, etc.). Does not include permissions for data (versions) accessing or editing |
SecretManagerFullAccess | Full access to create, read, list, edit, access, and delete secrets and their versions in Secret Manager |
SecretManagerSecretAccess | Read access to versions’ data in Secret Manager. Does not include permissions for data editing |
SecretManagerSecretCreate | Permission to create secrets and their versions in Secret Manager. Does not include permission to update secrets and versions |
SecretManagerSecretDelete | Permission to delete secrets and their versions in Secret Manager |
SecretManagerSecretWrite | Permission to edit the metadata (name, tags, description, etc.) of secrets and their versions in Secret Manager. Does not include permission to create secrets and versions |
BlockStorageReadOnly | List and read access to Block Storage |
BlockStorageFullAccess | Full access to create, read, list, edit and delete in Block Storage |
Important
Some additional permission sets may appear on your Scaleway console if you are enrolled in beta testing for products or features.