IAM Quick Start
Exoscale offers you multiple ways to interact with the platform in a programmatic way, from either a command line, your favorite programming language, or some of our integrations to 3rd party tools.
To do so you have first to generate an Access key and its secret to be used in such tools.
Generating Access keys
You can create Access keys from the Portal or the
[CLI](/documentation/tools/exoscale-command-line-interface/). Because you need an API key to configure the CLI, the first Access key can only be obtained through the Portal.
The following example shows you how to create an Access key using the CLI. We assume for this example that you have already configured the CLI before with an unrestricted Access key.
Create a new Access key:
exo iam access-key create example-access-key
This will create an unrestricted Access key that can use all API operations. When you create a new Access key, it inherits permissions from the Access key used during the create operation.
For most use cases however, we recommend that you create a restricted Access key that can only be used for certain operations. To do create a restricted key, pass the --operation
flag to list individual API operations. Pass the --tag
flag for a set of related operations.
The following example restricts the new Access key to Compute operations:
exo iam access-key create example-access-key --tag compute
You can pass multiple operations and separate them with a comma. The following example also demonstrates how you can specify single commands under a service:
exo iam access-key create my-restricted-key \
--operation list-zones \
--operation list-access-keys
To list the full set of possible operations:
exo iam access-key list-operations
If the current Access key can perform the list-access-key-operations
operation, you can list the API operations supported by the currently-used Access key:
exo iam access-key list-operations --mine
To list Access keys:
exo iam access-key list
Access keys can be revoked. If they are revoked, they cannot be recovered.
To revoke a key:
exo iam access-key revoke EXO...
Restricting Access keys to resources
To restrict an Access key to a particular resource, you can use the --resource
flag during creation.
Note
Currently, the only supported resource is Secure Object Storage (SOS) buckets through the sos/bucket:
prefix.
The following example restricts the new Access key to an SOS bucket called some-bucket
:
exo iam access-key create sos-example-bucket-only \
--operation get-sos-object \
--operation list-sos-bucket \
--resource sos/bucket:example-bucket
Use an existing Access key as a template for a new API key
Access keys are immutable by design. If you want to change an API key, you will need to generate a new one.
To make it easier to generate a complex key, you can use an existing key’s restrictions to populate the creation view. Select Use as Template
in the Portal with the existing key you want to use.