Jump toUpdate content

Policies

IAM Policies are statements that define the permissions of users, groups and applications in Scaleway Organizations.

They are composed of:

Principal

A principal is an entity that can be attached to a policy. Currently you can attach either a user, a group or an application to a policy. Only one principal can be attached to each policy.

Rules

A rule is the part of a policy that defines the permissions of the policy’s principal, and the scope of these permissions. It consists of a scope (at Project level or Organization level) and one or more permission sets (eg. “list all Instances”).

Note:

A policy can have one or many rules.

Scope

A scope defines where the permission sets should apply. At Scaleway, a scope can be at Project or Organization level.

  • Projects group your Scaleway resources (eg. Instances, Object Storage buckets, Managed Databases etc.) together. An Organization may have many Projects, or just one default Project. If you choose to define scope at Project level, you can select one, many, or all Projects. When you then define the permission sets for this scope, you can give access to different resources within the Project(s).
  • an Organization is made of one or several Projects. IAM, billing, support and abuse tickets and project management are managed at Organization level, so choose an Organization scope to give access to these features.

Permission sets

A permission set consists of one or multiple permissions to perform actions on resources or features. Each permission set has a clear description, e.g. InstancesFullAccess, InstancesReadOnly, DatabaseFullAccess, BillingReadOnly.

Note:

You can find a detailed list of all permission sets available at Scaleway in the permission sets reference page.

Example rule

The rule below defines various levels of access to different resources in Project A.

Scope
Project “A”
Permission set
InstancesFullAccess, ObjectStorageReadOnly, DatabasesFullAccess

Example policy

The policy below states that the application production-c can create, list, delete and manage Instances and Databases in Project A, but for Object Storage it can only list and read the resources.

Principal
IAM Application production-c

Rule 1:

Scope
Project “A”
Permission set
InstancesFullAccess, ObjectStorageReadOnly, DatabasesFullAccess

Rule 2:

Scope
Project “F”
Permission set
ContainerRegistryFullAccess, ContainersReadOnly, DatabasesFullAccess

JSON policy example

{
"application": "production-c",
"rules": [
{
"projects": ["A"],
"permission_sets": ["InstancesFullAccess", "ObjectStorageReadOnly", "DatabasesFullAccess"]
},
{
"projects": ["F"],
"permission_sets": ["ContainerRegistryFullAccess", "ContainersReadOnly", "DatabasesFullAccess"]
}
]
}

If necessary, we could add more rules to the policy, giving production-c additional permissions in other Projects, or at Organization level.

See Also