Using IAM policies with the OVHcloud Control Panel – Support Guides

Learn how to provide specific access rights to users of an OVHcloud account. This guide explains in detail how policies can be declared using the OVHcloud Control Panel and how to list the identities, resources, and actions available for them.

The access management of OVHcloud is based on a policy management system. It is possible to write different policies that give users access to specific features on the products linked to an OVHcloud account.

In detail, a policy contains:

One or more identities targeted by this policy.
- It can be account IDs, users, or user groups (like the ones used in Federation - other SSO guides are available).
One or more resources impacted by this policy.
- A resource is an OVHcloud product that will be impacted by this policy (a domain name, a Nutanix server, a Load Balancer, etc.).
One or more actions allowed or excepted by this policy.
- Actions are the specific rights this policy affects (reboot a server, create an email account, cancel a subscription, etc.).

For example, we can create a policy to give to a user called John for a VPS, with access to the action "reboot".

Requirements

An OVHcloud account
Know how to manage account users
One or more OVHcloud products linked to this OVHcloud account (Load Balancer, VPS, etc.)

Instructions

From the OVHcloud Control Panel, navigate to the Identity, Security & Operations menu.

There are several ways to do this, depending on the version of the OVHcloud Control Panel you are using.

Standard version:

By clicking Bare Metal Cloud or Hosted Private Cloud in the top navigation bar.
By accessing the "My account" page and clicking the Manage my users shortcut.

Beta version:

By clicking Identity, Security & Operations in the left-hand navigation menu.
By accessing the "My account" page and clicking the Manage my users shortcut.

If you are accessing this menu for the first time, the following page appears. Click Create a policy or Create users, depending on the action you want to perform.

NOTE: Clicking the "Advanced mode" button shows the list of all the OVHcloud Managed policies. These policies are automatically created by OVHcloud to convert the preexisting ovh-default and ovh-role-admin delegation to the new IAM feature.

Customers are not allowed to edit or delete these policies.

If you have already created policies or users, the menu displays a list of all the current policies created on your OVHcloud account.

Each policy is displayed with its name, the number of identities linked to it, and the number of actions it contains.

Managing policies

Creating a policy

Click the Create a policy button.

The following options will be displayed:

Policy name (mandatory): This is the name that will appear in the interfaces. The name should be unique and must not contain any spaces.

Identities: Select the identities affected by this policy. It is possible to target individual users, user groups, service accounts, or OVHcloud accounts.

Policies targeting other OVHcloud customer accounts

Access policies can target other OVHcloud customer accounts.

The targeted account of this policy will be able to manage the rights received that way on its own policies, but will never be able to override the rights set on the access policy.

For example, an account xx1111-ovh gives rights on vps:apiovh:ips/* to account xx2222-ovh:
Account xx2222-ovh will be able to give the right vps:apiovh:ips/delete to its own users, but will never be able to grant the right vps:apiovh:reboot.

Access to support will still be reserved for the owner of the resource.

Product types: Select the type of product to define the scope of the policy. One or more product types can be included in the same policy.

Resources: Add resources or resource groups to be covered by the policy. The resources available are filtered by the product type selected beforehand.

Conditions: Add conditions to policies, making the policy valid only if all conditions are met. The variables on which you may set conditions are:

A resource tag
The resource name
The product type
The IP of the request
The day of the week
The date
The time

Once added, conditions are displayed with the syntax used on the API.

Actions: There are four different ways to add actions

Authorize all actions

When activating this option, you allow all actions related to the selected products. This includes all existing actions as well as actions added in the future for these product types.
Selecting a group of managed permissions

We provide permission groups that are preconfigured and managed by OVHcloud. You can select one or more groups by selecting them from the available list.

Details of the content of the managed permission groups are available in the associated documentation.

Managed action groups can be used in addition to unit actions.
Adding actions manually
If you know the action name, you can add it manually. You can use a wildcard at the beginning or the end of the action name with *. For example, adding vps:apiovh:ips/* will grant the following rights:
- vps:apiovh:ips/edit
- vps:apiovh:ips/delete
- vps:apiovh:ips/get
Selecting actions from the list
The available actions depend on the resource type and belong to one of five categories. A search field is available to help identify a specific action on the list.
- Create: Action that allows to create something on a product (ex., Create a support ticket).
- Delete: Action that allows the deletion of something on a product (ex., Delete a Public Cloud instance).
- Edit: Action to change something existing on a product (ex., Edit TCP route of a Load Balancer).
- Operate: Apply changes to the infrastructure related to the product (ex., Reboot a dedicated server).
- Read: List products and show information about a product (ex., List a VPS IP).
A search field is available to help identify a specific action on the list.

Actions related to IP and vRack products, as well as actions related to ordering and billing, are not yet available through OVHcloud IAM.

When you have made your selections, click the Create policy button.

Editing or deleting a policy

To edit an existing policy, click the more options ... button to the right of the policy and click Modify policy. Then, you can change the scope of the policy.

To delete an existing policy, click the more options ... button to the right of the policy and click Delete policy. A pop-up window will ask you to confirm the deletion.

Managing identities

To manage identities available for policies, go to the Identities section via the Identity, Security & Operations menu.

Details about user management are available in the dedicated documentation.

Managing resource groups

Policies can target resource groups instead of resources. These resource groups can assemble resources from different products, for example, to set up a test environment.

Creating a resource group

To create a resource group, access the dedicated tab of the IAM menu. Click on Create a resource group.

Manage_IAM_controlPanel14*.png

Resource group name: This is the name that will appear in the interfaces. The name should be unique and must not contain any spaces.
Product types: The list of product types concerned by this resource group.
Resources: The list of resources the group will contain.

When you have made your selections, click Create resource Group.

Manage_IAM_controlPanel15*.png

Editing or deleting a resource group

To edit a resource group, click on its name in the list or click the more options ... button to the right of the group and click Edit resource group.

To delete an existing resource group, click the more options ... button to the right of the group and click Delete resource group. A pop-up window will ask you to confirm the deletion.

Go further

For more information and tutorials, please see our other Manage & Operate support guides or explore the guides for other OVHcloud products and services.