Exoscale offers you multiple ways to interact with the platform in a programmatic way, from either a command line, your favorite programming language, or some of our integrations to 3rd party tools.

To do so you have first to generate an Access key and its secret to be used in such tools.

Generating Access keys

You can create Access keys from the Portal or the
[CLI](/documentation/tools/exoscale-command-line-interface/). Because you need an API key to configure the CLI, the first Access key can only be obtained through the Portal.

The following example shows you how to create an Access key using the CLI. We assume for this example that you have already configured the CLI before with an unrestricted Access key.

Create a new Access key:

exo iam access-key create example-access-key

This will create an unrestricted Access key that can use all API operations. When you create a new Access key, it inherits permissions from the Access key used during the create operation.

For most use cases however, we recommend that you create a restricted Access key that can only be used for certain operations. To do create a restricted key, pass the --operation flag to list individual API operations. Pass the --tag flag for a set of related operations.

The following example restricts the new Access key to Compute operations:

exo iam access-key create example-access-key --tag compute

You can pass multiple operations and separate them with a comma. The following example also demonstrates how you can specify single commands under a service:

exo iam access-key create my-restricted-key \
    --operation list-zones                  \
    --operation list-access-keys

To list the full set of possible operations:

exo iam access-key list-operations

If the current Access key can perform the list-access-key-operations operation, you can list the API operations supported by the currently-used Access key:

exo iam access-key list-operations --mine

To list Access keys:

exo iam access-key list

Access keys can be revoked. If they are revoked, they cannot be recovered.

To revoke a key:

exo iam access-key revoke EXO...

Restricting Access keys to resources

To restrict an Access key to a particular resource, you can use the --resource flag during creation.


Currently, the only supported resource is Secure Object Storage (SOS) buckets through the sos/bucket: prefix.

The following example restricts the new Access key to an SOS bucket called some-bucket:

exo iam access-key create sos-example-bucket-only \
    --operation get-sos-object                    \
    --operation list-sos-bucket               \
    --resource sos/bucket:example-bucket

Use an existing Access key as a template for a new API key

Access keys are immutable by design. If you want to change an API key, you will need to generate a new one.

To make it easier to generate a complex key, you can use an existing key’s restrictions to populate the creation view. Select Use as Template in the Portal with the existing key you want to use.