Skip to content
NEW:   SOS: Block SSE-C Encryption per Bucket

IAM Users

August 12, 2024 
New
So far IAM would let you create keys that could be restricted and fine tuned in their permissions. While practical and powerful, IAM Keys have always been intended for programmatic usage, while users could not be limited in scope beyond the predefined roles:
  • Owner
  • Tech
  • Admin
We are now extending the very same IAM functionality to users of Organizations.
This means you will now be able to limit the scope of action of a user in the web portal in the same way as you would do for an IAM Key, with precise and fine grained IAM Roles.
Typical use cases include:
  • give a user read-only access
  • restrict a user to a specific service class, as e.g. sos for Object Storage operations
  • generally, fine tune what a user can see or do in the web portal
It is important to note that:
  • All new Organizations will immediately start with IAM Users
  • All existing Organizations will be migrated to IAM Users on the 16th of September 2024
  • You have the ability at any point in time before the 16th of September 2024 to willingly migrate your existing Organizations to the new system accessing: https://portal.exoscale.com/notifications
  • Once migrated, it is not possible to revert to the "Legacy Roles"
For more information, you can refer to our IAM Documentation: https://community.exoscale.com/documentation/iam/

Migration from "Legacy Roles" to IAM Users for existing Organizations

When migrating to to IAM Users, three default IAM Roles will be created for your existing Organization. Those will have almost the same names as the "Legacy Roles" you might be used to:
  • Owner
  • Tech
  • Billing (was "Admin")
The new IAM Roles will have defined policies that will port all existing functionalities to existing users.
This means you do not need to act or modify anything if the current "Legacy Roles" suit you. No difference in behaviour should be expected after migration. Existing users will be attributed to the proper IAM Role based on their "Legacy Role".
After migration you have the ability to modify the Tech IAM Role's Policy to your needs, while the Owner and Billing IAM Roles will be immutable. You can also create new IAM Roles and assign them to existing users.
If you have any question or doubt do not hesitate to contact our support team.
LinkedIn Bluesky