Key Management

API Keys can’t be updated or reassigned to another role. One can only create/list/delete them.

exo iam delete api-key EXO1234567890

Note that you should rather use the key’s ID EXO… instead of its name when deleting.

Migrating Legacy Access Keys to Role + API Key

If you have been using our services for a while, you might have noticed old keys being labeled Legacy on the platform, known as Access Keys.

It is currently not possible to migrate Access Keys, but you can reproduce an existing Access Key’s behavior by creating a Role with a specific policy.

Unrestricted Access Keys

This is the simple scenario: create a Role with default settings and API Keys to go along with it.

Restricted Access Keys

Start by getting the Access Key’s Operations.

exo iam access-key show EXO...

┼────────────────┼──────────────────────────────────────────────────┼
│ IAM ACCESS KEY │                                                  │
┼────────────────┼──────────────────────────────────────────────────┼
│ Name           │ my-legacy-access-key                             │
│ Type           │ restricted                                       │
│ API Key        │ EXOXXXXXXXXXXXXXXXXXXXXXXXX                      │
│ API Secret     │ *******************************************      │
│ Operations     │ create-load-balancer                             │
│                │ delete-load-balancer                             │
|                | list-dns-domain-records                          |
┼────────────────┼──────────────────────────────────────────────────┼

Create an initial "default-service-strategy": "deny" policy

{
  "default-service-strategy": "deny",
  "services": {

  }
}

Classify operations by their service class by referring to this document. Eg. create-load-balancer belongs to compute, and list-dns-domain-records belongs to dns.

For each service class, create a key in the policy under "services", then populate it as such:

{
  "default-service-strategy": "deny",
  "services": {
    "compute": {"type": "rules",
                "rules": [{"action": "allow"
                            "expression": "operation in ['create-load-balancer', 'delete-load-balancer']"}]},
    "dns":     {"type": "rules",
                "rules": [{"action": "allow"
                            "expression": "operation in ['list-dns-domain-records']"}]}
  }
}

Pass the finished policy to the CLI through STDIN.

cat policy.json | exo iam role create migrated-access-key-role --policy -

Finally, create an API Key referencing the role

exo iam api-key create migrated-my-legacy-access-key migrated-access-key-role