Jump toUpdate content

Users, groups and applications

IAM users, groups and applications are principals in Scaleway Organizations. A principal is an entity that can be attached to policy.

Users and applications are capable of bearing API keys. They can have one or more API keys attributed to them.

Users

An IAM user is a human user in an Organization.

They can be of two types:

  • Owner - you are the Owner of the Organization that was created with your account.
  • Guest - you are Guest when invited to another Organization of which you are not the Owner. Similarly, you can invite other users to be Guests in your Organization.

Within each Organization, different IAM users can have different rights (defined through policies) to perform actions on resources.

Applications

An IAM application is a non-human user in an Organization.

IAM applications may be used when you want to create an API key that is not linked to a user, to give programmatic access to resources.

Note:

Applications cannot by definition have access to the Scaleway console, as they have only an API key and no account themselves (they are not human account root users).

If you want to create an API key that is not linked to any particular human user, in case the user eventually leaves your Organization (eg.: an employee leaves your project or company), you can attribute API keys to an application in your Organization. This way, the API key is linked to a non-human user, and is under no risk of leaving or being removed from the Organization.

Groups

An IAM group is a grouping of users and/or applications.

You can create groups to attach policies to multiple users and/or applications at the same time.

For example, instead of creating two different policies that give user A and application C full access to the Instances in Project B, you can assemble user “A” and application “C” into group 1 attach it to a singular policy:

PRINCIPAL
Group 1 (consisting of user A and application C)
Scope
Project B
Permission set
InstancesFullAccess
Note:

It is possible to create empty groups, with no users or applications.

See Also