If this API key will be used for Object Storage, make sure to select the Project in question as its preferred Project for Object Storage when creating the key.
Reproducing roles and Project-scoped API keys with IAM
Identity and Access Management provides a set of concepts and features to help you easily manage access to your Scaleway Organization.
If you created your Organization before December 5 2022, you may be used to using roles and Project-scoped API keys to grant rights:
- Each user could have a role (Administrator, Billing Administrator or Editor) which gave specific permissions.
- In each Project, API keys could be created, which gave full access to all resources within this Project.
We strongly recommend that you apply the principle of the least privilege when setting up access to the Organization. This means that all users and applications should be able to perform the actions they need, but not more. This principle is best achieved by using all available IAM features to define granular permissions for users and API keys. However, to make the migration from the “old” system to the new one easier, on this page we explain how you can reproduce the former system (roles and Project-scoped API keys) under IAM.
How can I reproduce the deprecated roles of Administrator, Billing Administrator and Editor?
When your Organization was migrated to IAM, three groups were created, with three policies attached to them.
You can keep adding users to these groups if you want to preserve the “old” system of roles and their corresponding rights. Make sure that you therefore do not delete the groups that were created during the migration process.
If you previously deleted these groups from your Organization, you can recreate them by following these steps:
-
Create a group from the Groups tab, preferably with a name related to the corresponding role (e.g. “Administrators”, “Editors” or “Billing Administrators”).
-
Create a policy from the Policies tab, attached to the group you have just created and with the appropriate permission sets:
Former role | Necessary Permission Set | Scope for the Permission Set |
---|---|---|
Administrator | OrganizationManager AllProductsFullAccess | Organization All and current future Projects |
Editor | AllProductsFullAccess | All current and future Projects |
Billing Administrator | BillingManager OrganizationReadOnly | Organization Organization |
How can I reproduce Project-scoped API keys?
When your Organization was migrated to IAM, for each Project existing at the time of the migration, an application and a policy were automatically created. These were both given the same name: Project - [name of the project] (id of the project)
.
If you want to create Project-scoped API keys for Projects created after your Organization migrated to IAM, follow these steps:
- Create an application, preferably with a name related to the Project.
- Create a policy from the policy tab, attached to the application you just created and with the permission set
AllProductsFullAccess
for the Project in question.
Going forward, whenever you wish to create a new API key with full access to this Project, you can simply go to the application’s overview page, click the API keys tab, and create a new key.