IAM Quick Start
Exoscale offers you multiple ways to interact with the platform in a programmatic way, from either a command line, your favorite programming language, or some of our integrations to 3rd party tools.
To do so you have first to generate an API access key and its secret to be used in such tools.
Generating API access keys
You can create API access keys either from the UI or the exo CLI. Since you need an API key to configure the CLI, the first API access key can only be obtained via the UI.
The following example shows you how to create such an API access key using the exo CLI, and assume you’ve configured the CLI previously with an unrestricted API access key.
Create a new API access key:
exo iam access-key create example-access-key
This will create an unrestricted API access key that can use all API operations: when you create a new API access key, it inherits permissions from the API access key used during the create operation.
However, for most use cases it is advisable to create a restricted API access key that can only be used for certain operations. This can be achieved by passing the --operation
flag for listing individual API operations, and --tag
for a set of related operations.
The following example restricts the new API access key to the Compute-related operations:
exo iam access-key create example-access-key --tag compute
Multiple operations can be passed separated by commas. The following example also showcases how you can specify single commands under a service:
exo iam access-key create my-restricted-key \
--operation list-zones \
--operation list-access-keys
To list the full set of possible operations:
exo iam access-key list-operations
To list the API operations supported by the currently used API access key (note: requires the current API access key to be allowed to perform the list-access-key-operations
operation):
exo iam access-key list-operations --mine
About Async Commands
Be aware that by restricting an API access key operations, you will not be able to use that same key to query the result of asynchronous API operations unless you include to the get-operation
operation; you can find the list of asynchronous API operations in the Exoscale API documentation.
Be also aware that get-operation
may contain sensitive information (e.g. Compute instance details including passwords, immediately after creation and until purge of the job queue).
API access keys can be listed with:
exo iam access-key list
API access keys can be revoked, and once revoked they cannot be recovered. To revoke a key:
exo iam access-key revoke EXO...
Restricting API access keys to resources
API access keys can be restricted to limited resources. To do so, you can use the --resource
flag during creation.
Available on Object Storage Only
Currently, the only supported resource is SOS bucket (via sos/bucket:
prefix).
The following example restrict the new API access key to some-bucket
SOS bucket:
exo iam access-key create sos-example-bucket-only \
--operation get-sos-object \
--operation list-sos-bucket \
--resource sos/bucket:example-bucket
Use an Existing API access key as a Template for a New Key
There is no way to update an API access key once it has been created, they are immutable by design. If you want to change an API key, you will need to generate a new one.
To ease this process for complex keys, you can take advantage of the “Use as a Template” functionality available on the web portal: this will use an existing key restrictions to populate the creation view, so you can reduce the amount of work needed in creating identical or slightly modified keys.