IAM Quick Start

Tagged in

Exoscale offers you multiple ways to interact with the platform in a programmatic way, from either a command line, your favorite programming language, or some of our integrations to 3rd party tools.

To do so you have first to generate an API access key and its secret to be used in such tools.

Generating API access keys

You can create API access keys either from the UI or the exo CLI. Since you need an API key to configure the CLI, the first API access key can only be obtained via the UI.

The following example shows you how to create such an API access key using the exo CLI, and assume you’ve configured the CLI previously with an unrestricted API access key.

Create a new API access key:

exo iam access-key create example-access-key

This will create an unrestricted API access key that can use all API operations: when you create a new API access key, it inherits permissions from the API access key used during the create operation.

However, for most use cases it is advisable to create a restricted API access key that can only be used for certain operations. This can be achieved by passing the --operation flag for listing individual API operations, and --tag for a set of related operations.

The following example restricts the new API access key to the Compute-related operations:

exo iam access-key create example-access-key --tag compute

Multiple operations can be passed separated by commas. The following example also showcases how you can specify single commands under a service:

exo iam access-key create my-restricted-key \
    --operation list-zones                  \
    --operation list-access-keys

To list the full set of possible operations:

exo iam access-key list-operations

To list the API operations supported by the currently used API access key (note: requires the current API access key to be allowed to perform the list-access-key-operations operation):

exo iam access-key list-operations --mine

About Async Commands

Be aware that by restricting an API access key operations, you will not be able to use that same key to query the result of asynchronous API operations unless you include to the get-operation operation; you can find the list of asynchronous API operations in the Exoscale API documentation.

Be also aware that get-operation may contain sensitive information (e.g. Compute instance details including passwords, immediately after creation and until purge of the job queue).

API access keys can be listed with:

exo iam access-key list

API access keys can be revoked, and once revoked they cannot be recovered. To revoke a key:

exo iam access-key revoke EXO...

Restricting API access keys to resources

API access keys can be restricted to limited resources. To do so, you can use the --resource flag during creation.

Available on Object Storage Only

Currently, the only supported resource is SOS bucket (via sos/bucket: prefix).

The following example restrict the new API access key to some-bucket SOS bucket:

exo iam access-key create sos-example-bucket-only \
    --operation get-sos-object                    \
    --operation list-sos-bucket               \
    --resource sos/bucket:example-bucket

Use an Existing API access key as a Template for a New Key

There is no way to update an API access key once it has been created, they are immutable by design. If you want to change an API key, you will need to generate a new one.

To ease this process for complex keys, you can take advantage of the “Use as a Template” functionality available on the web portal: this will use an existing key restrictions to populate the creation view, so you can reduce the amount of work needed in creating identical or slightly modified keys.