IAM Quick Start
Exoscale offers you multiple ways to interact with the platform in a programmatic way, from either a command line, your favorite programming language, or some of our integrations to 3rd party tools.
To do so you have first to generate an API Key and its secret to be used in such tools.
Generating API Keys
You can create API Keys either from the UI or the exo CLI. Since you need an API key to configure the CLI, the first API Key can only be obtained via the UI.
The following example shows you how to create such an API Key using the exo CLI, and assume you’ve configured the CLI previously with an unrestricted API Key.
Create a new API Key:
exo iam apikey create yourapikey
This will create an unrestricted API Key that can use all API operations: when you create a new API Key, it inherits permissions from the API Key used during the create operation.
However, for most use cases it is advisable to create a restricted API Key that can only be used for certain operations. This can be achieved by passing the
The following example restricts the new API Key to the Compute service:
exo iam apikey create your-compute-key --operation "compute/*"
Multiple operations can be passed separated by commas. The following example also showcases how you can specify single commands under a service:
exo iam apikey create my-restricted-key --operation "compute/listZones,iam/listApiKeys"
To list the full set of possible operations:
exo iam apikey operations
About Async Commands
Be aware that by restricting an Api Key on commands that execute asynchronously, you will not be able to use that same key to query the result of the action unless you give access to the
Be also aware that
queryAsyncJobResult may contain sensitive information (e.g. Instance details including passwords, immediately after creation and until purge of the job queue).
API Keys can be listed with:
exo iam apikey list
API Keys can be revoked, and once revoked they cannot be recovered. To revoke a key:
exo iam apikey revoke EXO...
Restricting API Keys to resources
API Keys can be restricted to limited resources. To do so, you can use
--resource parameter during creation.
Available on Object Storage Only
Currently, the only supported resource is SOS bucket (via
The following example restrict the new API Key to
some-bucket SOS bucket:
exo iam apikey create key-restricted-to-bucket-name --operation "sos/getObject,sos/listBucket" --resource "sos/bucket:bucket-name"
Use an Existing API Key as a Template for a New Key
There is no way to update an API Key once it has been created, they are immutable by design. If you want to change an API key, you will need to generate a new one.
To ease this process for complex keys, you can take advantage of the “Use as a Template” functionality available on the web portal: this will use an existing key restrictions to populate the creation view, so you can reduce the amount of work needed in creating identical or slightly modified keys.