Learn about the integration of Logs Data Platform with OVHcloud IAM.
IAM for Logs Data Platform will be available starting September 17, 2025. The content of this documentation will be valid from this date.
Requirements
- An OVHcloud account
- Access to the OVHcloud Control Panel
- A Logs Data Platform service
Instructions
How is IAM useful for Logs Data Platform?
Enabling OVHcloud IAM on Logs Data Platform delegates authentication, access management, and permissions to OVHcloud IAM. There are several benefits to using IAM:
- All OVHcloud identities can connect using their credentials to all Web UIs (i.e., Graylog, OpenSearch Dashboards). The connected account will be the identity chosen for UI access. You will no longer need the Logs Data Platform username. IAM also enables the use of two-factor authentication methods and Federation Services.
- API tokens can be both service account tokens and Personal Access Tokens handled directly with OVHcloud IAM APIs.
- Resource groups allow you to share Logs Data Platform sub-resources more cohesively.
- IAM Policies unlock advanced use cases that are not possible with permissions, thanks to fine-grained actions.
How to enable OVHcloud IAM for my existing account in Logs Data Platform?
If you have an existing service, follow these steps:
- Replace all your Roles and permissions with appropriate policies.
- Ensure you have no Roles declared in your service.
- Ensure your service is not in any Roles.
- Ensure you don't have any tokens.
- Use the
Enable OVHcloud IAMbutton in theRolestab of the Logs Data Platform Control Panel.
Once IAM is activated, a new IAM Policies tab will replace the previous Roles tab.
How to enable OVHcloud IAM on a new service?
When a new service is created, you can directly opt into using IAM and use IAM policies to handle access rights.
Once IAM has been activated, you can freely use any OVHcloud identities to interact with Logs Data Platform.
How to connect to Graylog with IAM?
When connecting to Graylog, you can choose between the legacy username/password system (for services without IAM activated) or the OVHcloud IAM US provider. Clicking the Log in with OVHcloud IAM US button redirects you to complete authentication.
NOTE: Only the US provider is supported.
How to connect to OpenSearch Dashboards with IAM?
When connecting to OpenSearch Dashboards, select the provider linked to your OVHcloud service. The Log in with single sign-on button redirects you to your provider to complete authentication.
Once completed, you will be redirected back to the OpenSearch Dashboard instance fully authenticated.
How to interact with Logs Data Platform backends API?
With IAM enabled, tokens are replaced by API keys (Bearer authentication scheme). These keys can be tokens from service accounts or Personal Access Tokens. Use the OVHcloud API to generate these tokens.
For example, if you are on bhs2 cluster, curl can use these tokens in the following way:
How to create indices or aliases on Logs Data Platform backend APIs?
First, ensure the identity you want to use has permission to create indices and aliases for the service. If authorized, Personal Access Tokens or service account OAuth2 clients can perform creation/deletion operations.
NOTE: The previous prefix for indices and aliases was the username. Now the prefix is the service name. You will find the service name on the homepage of the Logs Data Platform control panel. It is also the suffix of a Logs Data Platform service URN. For example:
urn:v1:us:resource:ldp:ldp-ab-56945
The service is tied to a unique Logs Data Platform, so you will be allowed to create items only on this cluster. For example if ldp-ab-56945 is on bhs2:
Similarly, aliases created through OpenSearch APIs must be prefixed by one of your allowed services.
Go further
- Introduction to Logs Data Platform
- IAM for Logs Data Platform
- Our documentation
- Create an account: Try it!