Jump toUpdate content

Permission sets

Permissions sets and their scope make up IAM rules, which define the access rights that a principal (user, group or application) should have. They consist of sets of one or multiple permissions.

Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called: InstancesFullAccess.

Below is a list of the permission sets available at Scaleway.

Scoped by Organization

Permission setDescription
ProjectManagerFull access to Project management. This means access to create, rename, list and delete projects. It does not include access to Project resources
ProjectReadOnlyRead access to Project management. Does not include access to Project resources
IAMReadOnlyRead access to IAM. This means list and read access to users, groups, applications, policies, and API keys
IAMManagerFull access to IAM. This means access to all possible actions for users, groups, applications, policies and API keys) and all ProjectManager permissions
BillingReadOnlyList and read access to billing information
BillingManagerFull access to billing management. This means access to list, read and edit billing contact information, payment information, billing alerts and invoices
OrganizationManagerFull access to Organization management. This means access to all possible actions for Projects, IAM, billing and support/abuse tickets. Does not include access to list and create resources.
OrganizationReadOnlyRead access to the Organization’s general information (e.g. Organization ID and quotas)
SupportTicketManagerFull access to support tickets. This means access to create, read and update support tickets in the Organization
SupportTicketReadOnlyList and read access to support tickets
AbuseTicketManagerFull access to abuse tickets. This means access to create, read and update abuse tickets in the Organization
Important:

Any user or application benefitting from the IAMManager and/or OrganizationManager permission sets is able to create policies giving themselves access to any other actions and resources within the Organization.

Scoped by Project

Permission setDescription
AllProductsFullAccessFull access to create, read, list, edit and delete all resources (products)
AllProductsReadOnlyRead access to list and read info for all resources (products)
SSHKeysReadOnlyRead access to SSH keys
SSHKeysFullAccessFull access to SSH keys
AppleSiliconReadOnlyList and read access to Apple Silicon
AppleSiliconFullAccessFull access to create, read, list, edit and delete Apple Silicon.
ElasticMetalReadOnlyList and read access to Elastic Metal
ElasticMetalFullAccessFull access to create, read, list, edit and delete Elastic Metal
InstancesFullAccessFull access to create, read, list, edit and delete Instances
InstancesReadOnlyList and read access to Instances
KubernetesReadOnlyList and read access to Kubernetes
KubernetesFullAccessFull access to create, read, list, edit and delete Kubernetes
KubernetesExternalNodeRegisterAttach external nodes to a Kosmos cluster
DediboxReadOnlyList and read access to Dedibox
DediboxFullAccessFull access to create, read, list, edit and delete Dedibox
ContainersReadOnlyList and read access to Containers
ContainersFullAccessFull access to create, read, list, edit and delete to Containers
FunctionsReadOnlyList and read access to Functions
FunctionsFullAccessFull access to create, read, list, edit and delete Functions
MessagingAndQueuingReadOnlyList and read access to Messaging
MessagingAndQueuingFullAccessFull access to create, read, list, edit and delete Messaging
RelationalDatabasesReadOnlyList and read access to Managed Database for PostgreSQL and MySQL
RelationalDatabasesFullAccessFull access to create, read, list, edit and delete Managed Database for PostgreSQL and MySQL
ObjectStorageReadOnlyList and read access to Object Storage
ObjectStorageFullAccessFull access to create, read, list, edit and delete Object Storage
ObjectStorageObjectsReadRead access to objects, tags, metadata and storage class
ObjectStorageBucketsReadRead access to buckets and bucket configuration including lifecycle rules
ObjectStorageObjectsWriteAccess to create and edit objects, tags, metadata and storage class
ObjectStorageObjectsDeleteAccess to delete objects
ObjectStorageBucketsWriteAccess to create and edit buckets, bucket configuration including lifecycle rules
ObjectStorageBucketsDeleteAccess to delete buckets
RedisReadOnlyList and read access to Managed Database for Redis™
RedisFullAccessFull access to create, read, list, edit and delete Managed Database for Redis™
PrivateNetworksFullAccessFull access to create, read, list, edit and delete Private Networks
VPCGatewayReadOnlyList and read access to Public Gateways
VPCGatewayFullAccessFull access to create, read, list, edit and delete Public Gateways
LoadBalancersReadOnlyList and read access to Load Balancer
LoadBalancersFullAccessFull access to create, read, list, edit and delete Load Balancer
DomainsDNSReadOnlyList and read access to Domains and DNS
DomainsDNSFullAccessFull access to create, read, list, edit and delete Domains and DNS
ContainerRegistryReadOnlyList and read access to Container Registry
ContainerRegistryFullAccessFull access to create, read, list, edit and delete Container Registry
IoTReadOnlyList and read access to IoT Hub
IoTFullAccessFull access to create, read, list, edit and delete IoT Hub
ObservabilityReadOnlyList and read access to Observability
ObservabilityFullAccessFull access to create, read, list, edit and delete Observability
TransactionalEmailReadOnlyList and read access to Transactional Email
TransactionalEmailFullAccessFull access to create, read, list, edit and delete Transactional Email
TransactionalEmailDomainReadOnlyRead access to domains in Transactional Email. Does not include permissions for e-mails
TransactionalEmailDomainFullAccessFull access to domains in Transactional Email. Does not include permissions for e-mails
TransactionalEmailEmailReadOnlyRead access to e-mails in Transactional Email. Does not include permissions for domain configuration
TransactionalEmailEmailFullAccessFull access to e-mails in Transactional Email. Does not include permissions for domain configuration
WebHostingReadOnlyList and read access to Web Hosting
WebHostingFullAccessFull access to create, read, list, edit and delete Web Hosting
SecretManagerReadOnlyList and read secrets’ metadata (name, tags, creation date, etc.). Does not include permissions for data (versions) accessing or editing
SecretManagerFullAccessFull access to create, read, list, edit and delete secrets in Secret Manager
SecretManagerSecretAccessFull access to secrets’ metadata and data (versions) in Secret Manager. Does not include permissions for data editing
BlockStorageReadOnlyList and read access to Block Storage
BlockStorageFullAccessFull access to create, read, list, edit and delete in Block Storage
See Also