NavigationContentFooter
Jump toSuggest an edit

Policies

Reviewed on 16 October 2024

IAM Policies are statements that define the permissions of users, groups, and applications in Scaleway Organizations.

They are composed of:

  • a principal - a user, group, or application,
  • one or more IAM rules - consisting of permission sets bound to a scope.

Principal

A principal is an entity that can be attached to a policy. Currently, you can attach either a user, a group, or an application to a policy. Only one principal can be attached to each policy.

Tip

If a user or application is the principal of multiple policies, whether as sole principal or as part of a group, they benefit from all the permissions defined in each of these policies.

Rules

A rule is the part of a policy that defines the permissions of the policy’s principal, and the scope of these permissions. It consists of a scope (at Project level or Organization level) and one or more permission sets (eg. “list all Instances”).

Note

A policy can have one or many rules. Note that rules can only give access to the specified actions/resources. You cannot create a rule that explicitly denies access to specific actions/resources. In any case, the default starting point for any user or application other than the Organization’s owner, is that they have zero permissions other than those defined via policies attached to them.

Scope

A scope defines where the permission sets should apply. At Scaleway, a scope can be at Project or Organization level.

  • Projects group your Scaleway resources (eg. Instances, Object Storage buckets, Managed Databases etc.) together. An Organization may have many Projects, or just one default Project. If you choose to define scope at Project level, you can select one, many, or all Projects. When you then define the permission sets for this scope, you can give access to different resources within the Project(s).
  • an Organization is made of one or several Projects. IAM, billing, support and abuse tickets and project management are managed at Organization level, so choose an Organization scope to give access to these features.

Permission sets

A permission set consists of one or multiple permissions to perform actions on resources or features. Each permission set has a clear description, e.g. InstancesFullAccess, InstancesReadOnly, RelationalDatabaseFullAccess, BillingReadOnly.

Note

You can find a detailed list of all permission sets available at Scaleway in the permission sets reference page.

Example rule

The rule below defines various levels of access to different resources in Project A.

Scope
Project “A”
Permission set
InstancesFullAccess, ObjectStorageReadOnly, RelationalDatabasesFullAccess

Example policy

The policy below states that the application production-c can create, list, delete and manage Instances and Databases in Project A, but for Object Storage it can only list and read the resources.

Principal
IAM Application production-c

Rule 1:

Scope
Project “A”
Permission set
InstancesFullAccess, ObjectStorageReadOnly, RelationalDatabasesFullAccess

Rule 2:

Scope
Project “F”
Permission set
ContainerRegistryFullAccess, ContainersReadOnly, RelationalDatabasesFullAccess
Note

There is no notion of priority when it comes to IAM policies. Policies do not compete with each other, they simply combine to bestow all the permissions defined within them to any given principal.

JSON policy example

{
  "application": "production-c",
  "rules": [
    {
      "projects": ["A"],
      "permission_sets": ["InstancesFullAccess", "ObjectStorageReadOnly", "RelationalDatabasesFullAccess"]
    },
    {
      "projects": ["F"],
      "permission_sets": ["ContainerRegistryFullAccess", "ContainersReadOnly", "RelationalDatabasesFullAccess"]
    }
  ]
}

If necessary, we could add more rules to the policy, giving production-c additional permissions in other Projects, or at Organization level.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway