Quick Start
This is a quick start guide focusing on the creation of new API Keys and Roles. For more in-depth knowledge of IAM, please refer to the Policy Guide and the Roles and Policies operations guide.
Prerequisites
The goal is to have the necessary resources to use IAM outside of the portal too.
- Navigate to IAM, then ROLES, and add a new Role.
- In the Role creation form: name your new Role
example-api-roleand leave other settings as default - make sure “Default service strategy” is ALLOW and “Service Classes” is empty. This will create a role with no restrictions. - Navigate to IAM, then KEYS, and add a new API Key.
- In the Key creation form: name your key
example-api-keyand select the Role from the previous step (example-api-role). - Once created, the API key id
API Keyand secretAPI Secretare displayed. The secret is displayed only once. We will need both for the next step. - This documentation shows you how to configure the CLI with the API key you just created. If you haven’t installed the CLI yet, you can refer to the Installation section
Roles and API Keys
You can create a Role and API keys from the Portal or the CLI. Every role defines a policy in charge of authorization. API keys are attached to a role, they are responsible for authentication.
From the CLI
Creating a new API key
exo iam api-key create second-api-key example-api-roleBecause we specified the same role from the first time setup, this will create another key with unrestricted use of all API operations - identical to the one we created previously.
For most use cases however, we recommend that you create a restricted Role that can only be used for certain operations.
Creating a new Role
cat policy.json | exo iam role create example-restricted-role --editable --policy -policy.json defines the role’s policy.
For example, here’s a policy that allows IAM operations, allows DNS operations, but denies anything else:
{
"default-service-strategy": "deny",
"services": {
"dns": {
"type": "allow"
},
"iam": {
"type": "allow"
}
}
}"default-service-strategy": "deny" rejects any request that doesn’t satisfy the conditions under "services".
"services" are high level classification of operations used to split the authorization flow. Possible keys inside "services" are: compute, iam, dns, dbaas, sos, and block-storage.
You can find more information about which operations/endpoint belong to which service and more details of command-line usage for IAM in the following references: