How to write Exoscale IAM Policies
The following is a collection of good practices and examples of to write effective Policies to control authorization of Users and API Keys at Exoscale.
Rule based authorization 101
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "deny",
"expression": "resource.sks_nodepool.name in ['important-nodepool', 'foobar']"
},
{
"action": "allow",
"expression": "true"
}
]
}
}
}
A rule-based service policy consists of a list of one or more rules:
- Rules are composed of an Expression - against which the request is evaluated, and an Action - the resulting decision should the evaluated expression returns TRUE.
- Expressions are written in the Common Expression Language CEL
- Rules are evaluated in order
- Operator precedence is defined in the CEL language specification
- If the
expressionof a rule is valid, itsactionbecomes the authorization output -allowordeny. - If the
expressionof a rule is invalid, nothing is concluded and we evaluate the next rule - If no rule is valid, the request is not authorized to proceed regardless of the default service strategy.
The authorization flow will process each rule in order. The first valid rule will short-circuit the authorization process, resulting in its action (either allow or deny) - equivalent to an OR condition between rules. If all rules are exhausted the request is rejected, regardless of the default service strategy.
CEL bindings
A binding refers to the coupling of a variable in a CEL expression and its corresponding value at the time the expression is evaluated.
The top-level bindings are:
service- the service class in scope (ex: “sos”, “instance-pool”, etc)zone- the zone where the call is attempted (ex: “ch-gva-2”)now- a CEL timestamp (string, can be coerced to CEL timestamp in expressions via timestamp(now))source_ip- the ip of the callerapi_key- the exoscale api key of the callerEXO1234...operation- the operation performed (ex: “scale-instance-pool”)identity- the caller’s identity. A map containing the following keys:identity.key- the caller’s exoscale API keyEXO1234...identity.created- the CEL timestamp of the key’s creationidentity.description- the key’s description (name)identity.org.uuid- the caller’s organization UUIDidentity.org.name- the caller’s organization name
parameters- parameters passed to the command (ex: parameters.size -> 3)resources- a map of resource type -> resource (varies depending on the call, see IAM Reference: Operations and Resources)
The resources and parameters bindings are special, as they don’t resolve to mere literals, they can contain nested bindings.
The key difference between parameters and resources is the later might contain metadata that is not in the request payload.
For example:
parameters.foo == 'bar'restrict the call if the inputfoois equal tobar.parameters.foo.bar == 'baz'orparameters.foo == {'bar':'baz'}- restrict the call if the input objectfoohas a keybarequal tobazparameters.foo.exists(k, k.bar == 'baz')- restrict the call if the input collectionfoohas and object with a keybarequals tobazresources.elastic_ip.ip == 10.10.10.10- restrict the call on anelastic_ipresource that has the specified IP address.resources.instance_pool.id == "d4c1673a-a342-4a0f-b8e7-b2da4091ddfd"- restrict the call on aninstance_poolthat has the specified ID.
The IAM Reference: Operations and Resources contains the necessary information to map any API endpoint to its corresponding operation, parameters, and resources bindings.
CEL Best Practices
Split expressions into rules
When writing a rule with more than one condition, it becomes more manageable to write several smaller rules.
This can be achieved as long as the conditions are separated by OR operands.
[
{
"action": "allow",
"expression": "operation == 'list-buckets' || resources.bucket.startsWith('public-')"
}
]
is equivalent to
[
{
"action": "allow",
"expression": "operation == 'list-buckets'"
},
{
"action": "allow",
"expression": "resources.bucket.startsWith('public-')"
}
]
Write a catch-all rule
Sometimes, we want our service to have a different default behavior than the rest, while still abiding to some rules.
Because rules are evaluated in order, we can achieve this by writing a catch-all rule at the end of the list.
This is also useful to prevent unexpected authorization failures due to no rule matching the request, it is particularly useful when writing organization policies where you may wish to prevent certain calls across the organization (such as deleting an instance with a particular label, or modifying a particular security group):
{
"default-service-strategy": "allow",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "deny",
"expression": "'foo' in resource.sks_cluster.addons"
},
{
"action": "allow",
"expression": "true"
}
]
}
}
}
Don’t mix resources in a single rule
Every request may load a specific number of resources in order to have enough information to evaluate the rule properly. This means that not every rule will be able to evaluate every request.
For example: the expression "resource.security-group.name == 'dev-sg'" assumes the presence of a security group resource has been loaded into the context.
Consider the incoming request is GET /instance-pool/<id> (listing instance pools). Both instance pools and security groups belong to the compute service, thus the aforementioned CEL expression will be evaluated. However, only the instance pool resource is loaded for get-instance-pool so a CEL expression that refers to resources.instance_pool.id and resources.security_group.id cannot result in a match for the get-instance-pool endpoint.
Even if the expression includes an instance pool parameter "resource.security_group.name == 'dev-sg' && size(resource.instancepool.instances) > 2", it will be invalid too.
Therefore we strongly recommended to write separate rules based on the resource types, and to match on the operation or a list of operations when checking resource rules.
CEL extensions
We currently have the following CEL functions added as extensions:
inIpRange(<string IP>, <string Range>): returns true ifIPis withinRange.
source_ip.inIpRange('127.0.0/24')
inIpRange(source_ip, '127.0.0/24')
resources.instance.ipv6_address.inIpRange('2001:0db8:85a3:0000:0000:0000:0000:0000/64')
Compute
Allow only requests that load an instance resource - eg. the resize-instance-disk operation - whose labels include "dev".
{
"default-service-strategy": "allow",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "!has(resources.instance)"
},
{
"action": "allow",
"expression": "'dev' in resources.instance.labels"
}
]
}
}
}
The first rule !has(resources.instance) is needed because the second rule will fail for any request that doesn’t involve an instance, thus denying authorization.
Warning
A lookup on a non-existing binding will trigger an error within the CEL evaluator and short-circuit to a failed expression. The use of has(some.binding.foo) is very useful to avoid this situation.
Allow read only operations:
operation.startsWith('get-') || operation.startsWith('list-')
Allow an instance pool to be scaled to a size of 2, 3, or 4.
operation == 'scale-instance-pool' && int(parameters.size) >= 2 && int(parameters.size) <= 4
Prevent the deletion of the load balancer with the name my-nlb:
operation == 'delete-load-balancer' && resources.load_balancer.name == 'my-nlb'
Prevent the deletion of nodepools on the SKS cluster named my-sks-cluster:
operation == 'delete-sks-nodepool' && resources.sks_cluster.name == 'my-sks-cluster'
Only allow calls to create instance where public_ip_assignment has been specified and where the public_ip_assignment is set to none.
{
"default-service-strategy": "allow",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "deny",
"expression": "operation == 'create-instance' && (!parameters.has('public_ip_assignment') || parameters.public_ip_assignment != 'none')"
},
{
"action": "allow",
"expression": "true"
}
]
}
}
}
Prevent the creation and modification of resources in the zone ch-dk-2, this could also be written with the simpler rule zone == 'ch-dk-2' but errors will be visible on some tooling such as the UI which shows resources across all zones - so allowing read only calls can be useful:
{
"default-service-strategy": "allow",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "zone == 'ch-dk-2' && !(operation.startsWith('get-') || operation.startsWith('list-'))",
"action": "deny"
},
{
"expression": "true",
"action": "allow"
}
]
}
}
}
Allow/deny calls from a given source IP:
source_ip == '188.61.116.99'
Allow/deny calls from a list of source IPs:
source_ip in ['188.61.126.88', '188.61.116.99']
Allow only Snapshot creation and export, and no deletion:
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation in ['create-snapshot', 'export-snapshot']",
"action": "allow"
},
{
"expression": "operation.startsWith('get-') || operation.startsWith('list-')",
"action": "allow"
}
]
}
}
}
Allow creation of Private Instances only:
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation in ['create-instance','create-instance-pool'] && (!parameters.has('public_ip_assignment') || parameters.public_ip_assignment != 'none')",
"action": "deny"
},
{
"expression": "true",
"action": "allow"
}
]
}
}
}
Allow reboot only of any Compute Instance:
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation.startsWith('get-')",
"action": "allow"
},
{
"expression": "operation.startsWith('list-')",
"action": "allow"
},
{
"expression": "operation in ['reboot-instance']",
"action": "allow"
}
]
}
}
}
Allow read-only operations on any Compute Instance:
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation.startsWith('get-')",
"action": "allow"
},
{
"expression": "operation.startsWith('list-')",
"action": "allow"
}
]
}
}
}
List/query Audit-Trail Events but restrict any other operation:
{
"default-service-strategy": "allow",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation == 'list-events'",
"action": "allow"
}
]
}
}
}
DNS
Allow the retrieval of domains and records:
operation in ['list-dns-domains', 'get-dns-domain', 'list-dns-domain-records', 'get-dns-domain-record']
Allow the creation of domains that end with .ch:
operation == 'create-dns-domain' && parameters.unicode_name.endsWith('.ch')
Allow the creation of TXT records only (on any domain):
operation == 'create-dns-domain-record' && parameters.type == 'TXT'
Allow TXT records to be updated and deleted:
operation in ['update-dns-domain-record', 'delete-dns-domain-record'] && resources.dns_domain_record.type == 'TXT'
Allow the creation of A records on the domain my-test-domain.ch:
operation == 'create-dns-domain-record' && resources.dns_domain.unicode_name == 'my-test-domain.ch' && parameters.type == 'A'
Only allow TTLs in the range of 600 (10 minutes) to 7200 (2 hours):
operation in ['create-dns-domain-record', 'update-dns-domain-record'] && int(parameters.ttl) < 600 && int(parameters.ttl) > 7200
DBaaS
Prevent the creation of PostgreSQL services that do not specify a single IP filter of 10.20.0.0/16 (note: the order of deny rules in a policy is important, as the first rule that matches will either allow or deny the request):
operation == 'create-dbaas-service-pg' && !parameters.ip_filter.exists_one(x, x == '10.20.0.0/16')
Allow the creation of PostgreSQL services with the hobbyist-2 or startup-4 plans:
operation == 'create-dbaas-service-pg' && parameters.plan in ['hobbyist-2', 'startup-4']
Prevent the creation of dbaas resources in the zone CH-DK-2:
operation.startsWith('create-dbaas-') && zone == 'ch-dk-2'
Prevent the deletion of dbaas services in the zone CH-GVA-2:
operation.startsWith('delete-dbaas-service-') && zone == 'ch-gva-2'
Allow the PostgreSQL service my-service to be retrieved:
operation == 'get-dbaas-service-pg' && parameters.name == 'my-service'
Allow only a specific User or API Key to see his Kafka secrets
operation = 'reveal-dbaas-kafka-user-password' && parameters.username = 'a-user'
IAM
Deny requests to the IAM service. Allow all requests to other services.
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "deny"
}
}
}
Deny requests to the IAM service for a specific key. Allow all requests to other services regardless of which key is used.
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "api_key != 'EXO123456789'"
}
]
}
}
}
Alternatively this can be written using a deny rule, which is more practical if you want to enforce this within an organization policy:
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "rules",
"rules": [
{
"action": "deny",
"expression": "api_key == 'EXO123456789'"
},
{
"action": "allow",
"expression": "true"
}
]
}
}
}
Ensure keys can only be created for a particular role id:
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "rules",
"rules": [
{
"action": "deny",
"expression": "operation == 'create-api-key' && parameters.role_id != '<my-role-id uuid>'"
},
{
"action": "allow",
"expression": "true"
}
]
}
}
}
Prevent updates and deletion of a role named ‘my-role’:
operation in ['update-iam-role', 'update-iam-role-policy', 'delete-iam-role'] && resources.iam_role.name == 'my-role'
Allow keys to be created, listed, and retrieved:
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation in ['create-api-key', 'list-api-keys', 'get-api-key']"
}
]
}
}
}
Create a time-expiring IAM Key limited to the Compute service class (5 minutes in the example):
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "timestamp(identity.created) < timestamp(now) - duration('5m')",
"action": "deny"
},
{
"expression": "true",
"action": "allow"
}
]
}
}
}
Object Storage (SOS)
The following policy allows listing and retrieving objects on the bucket my-bucket, no other operations or buckets are allowed meaning that the caller will not be able to list buckets or to look at the properties of a bucket using the exo storage show command.
{
"default-service-strategy": "deny",
"services": {
"sos": {
"type": "rules",
"rules": [
{
"expression": "parameters.bucket == 'my-bucket' && operation in ['list-objects', 'get-object']",
"action": "allow"
}
]
}
}
}
A more elaborate policy is provided in the next example:
- Allows listing all buckets in the organization via the Exoscale CLI
exo storage lsor aws cliaws s3 ls. Other S3 compatible tooling may require additional operations to be added, - Operations relating to a bucket are restricted, only
my-bucketandmy-other-bucketare allowed, attempts to list objects in other buckets will be rejected. - The last rule in the policy relates to usage via the Exoscale CLI, more operations are needed to support
exo storage show sos://my-bucket. - The order of the rules is important due to the way the
denyrule has been written, in order to allow listing buckets the expression containinglist-bucketsmust come before thedenyexpression.
{
"default-service-strategy": "deny",
"services": {
"sos": {
"type": "rules",
"rules": [
{
"expression": "operation in ['list-sos-buckets-usage', 'list-buckets']",
"action": "allow"
},
{
"expression": "!(parameters.bucket in ['my-bucket', 'my-other-bucket'])",
"action": "deny"
},
{
"expression": "operation in ['list-objects', 'get-object']",
"action": "allow"
},
{
"expression": "operation in ['get-bucket-acl', 'get-bucket-cors', 'get-bucket-ownership-controls']",
"action": "allow"
}
]
}
}
}
Allow/deny reading/writing on a specific public prefix:
operation in ['get-object', 'put-object'] && parameters.key.startsWith('public')
Allow only read operations on a certain bucket:
{
"default-service-strategy": "deny",
"services": {
"sos": {
"type": "rules",
"rules": [
{
"expression": "resources.bucket != 'YOUR-BUCKET-NAME'",
"action": "deny"
},
{
"expression": "operation.startsWith('get-')",
"action": "allow"
},
{
"expression": "operation.startsWith('head-')",
"action": "allow"
},
{
"expression": "operation.startsWith('list-')",
"action": "allow"
}
]
}
}
}
User management and portal access
Most commonly, you will need an IAM Role giving access to all resources in the web portal excluding:
- user management
- billing management
This policy will be defined as:
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "rules",
"rules": [
{
"expression": "operation in ['add-user', 'remove-user', 'list-users', 'update-user-role']",
"action": "deny"
},
{
"expression": "true",
"action": "allow"
}
]
}
}
}
Warning
In order for this IAM Policy to be effective it’s important to mark the role as non-editable.
A more restrictive policy excluding IAM completely:
{
"default-service-strategy": "allow",
"services": {
"iam": {
"type": "deny"
}
}
}
A simple policy allowing only the usage of the Compute service class:
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "allow"
}
}
}
For any other case you can refer to the different service class examples in this page.
Note
If you desire to be more restrictive in your Policy, keep in mind that in order to work properly the web portal always requires access to the following operations:
Without those two operations the web portal cannot function, you should always include them in your Policy if you wish to customize it heavily.
Note
Including the ones previously mentioned, other calls might be still required for the portal to be able to bootstrap a specific view. The best way to learn about those is to check your web inspector to identify the required calls. Also, the calls might vary over time, as we add more features to the web portal, eventually leading to the need of adapting your policy.
A concrete example of a more restrictive policy giving access only to a single Object Storage Bucket:
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation in ['list-zones', 'get-operation']",
"action": "allow"
},
]
},
"sos": {
"type": "rules",
"rules": [
{
"expression": "parameters.bucket == 'my-bucket'",
"action": "allow"
}
]
}
}
}
This would let the user operate only on my-bucket and nothing else in the web portal. This also means the user will not be able to “navigate” to the bucket, as we have not allowed other operations as e.g. list-buckets-usage that are required for the different views involved in the navigation to be loaded. You will hence need to share the exact URL to the required view to your user:
https://portal.exoscale.com/storage/buckets/ch-dk-2/my-bucket/contents/
Understanding a forbidden API call
Here are possible scenarios when the API returns a 403 Forbidden response.
forbidden by [role|org] policy, [compute|sos|dns|iam]: Unable to find an operation in the list defined by the policy. The message indicates that on the specific policy (at role or organization level), the performed operation is not specified with eitherdenyorallowaction. As the parser is not able to find a single match - the call is denied. The message also shows a service-class the restriction belongs to.
Note
If the goal is to restrict a key to a specific operation or resource, but at the same time allow any other type of operations - {"action":"allow" "expression":"true"} could be added to the end of the rules set.
forbidden by [role|org] policy, [compute|sos|dns|iam] - A deny rule matched. Rule index: *INDEX_NUMBER*This extended version of the previous message, will appear when a policy has rules whose action isdenyand matches the performed call. The index indicates the sequence number of the rule in the rules set starting at 0 for the first rule.