Identity
This section focuses on identity management for Infomaniak Public Cloud, covering secure authentication methods and access control for both interactive and automated use cases.
Security Best Practice
Use Application Credentials for all automated access to improve security and auditability.
Start Here
Follow this path to configure access for your use case:
- Application Credentials — Create secure credentials for automated access
- Service Policies — Understand what each role can do per service
- Select the right role — Use the quick reference below
Access Control
Access is controlled through role-based permissions with project-level roles:
reader- Read-only access for monitoring and reportingmember- Full project management for automation and operationsload-balancer_member- Dedicated load balancer management accessload-balancer_observer- Read-only access to load balancer APIs and configurationsSwiftOperator- Full access to Swift object storage resourcescreator- Secret and certificate management accessobserver- Read-only access to secrets and containers in Barbican
Role Quick Reference
| I need to... | Recommended Role | Details |
|---|---|---|
| Monitor resources, view logs, generate reports | reader |
Read-only access to all project resources |
| Automate deployments, manage infrastructure (CI/CD) | member |
Full project management for most services |
| Manage load balancers | load-balancer_member |
Read/write access to Octavia load balancers |
| Monitor load balancers only | load-balancer_observer |
Read-only access to Octavia |
| Manage object storage (Swift) | SwiftOperator |
Full access to Swift object storage |
| Manage secrets and certificates (Barbican) | creator |
Create and manage secrets/containers |
| Read secrets only (Barbican) | observer |
Read-only access to Barbican secrets |
Combining Roles
You can assign multiple roles to a single Application Credential for cross-service access. Examples:
# Full automation (Compute + Network + Storage)
openstack application credential create \
--role reader \
--role member \
--description "CI/CD automation" \
my-ci-cd-app
# Load balancer + monitoring
openstack application credential create \
--role load-balancer_member \
--role reader \
--description "LB automation with monitoring" \
my-lb-app
Role Selection by Service
| Service | Read-Only | Full Management | Special Role Required |
|---|---|---|---|
| Compute (Nova) | reader |
member |
— |
| Block Storage (Cinder) | reader |
member |
— |
| Network (Neutron) | reader |
member |
BYOIP for advanced features |
| Image (Glance) | reader |
member |
— |
| Load Balancer (Octavia) | load-balancer_observer |
load-balancer_member |
load-balancer_member |
| DNS (Designate) | reader |
member |
— |
| Orchestration (Heat) | reader |
member |
— |
| Billing (CloudKitty) | reader |
member |
— |
| Monitoring (Aodh) | reader |
member |
— |
| Key Management (Barbican) | observer |
creator |
creator or observer |
Need Granular Permissions?
For fine-grained, service-specific access (e.g., read-only access to just one service), use Access Rules instead of broad roles. This applies the principle of least privilege by restricting credentials to specific API endpoints and methods.
Region-Specific Role Behaviors
Different regions may have slightly different role behavior. Understanding these differences will help you create correct Application Credentials.
Region dc3-a
In region dc3-a, the reader role inherits permissions equivalent to the member role.
Always verify the active region before interpreting IAM test results or executing operations.
Region dc4-a
In region dc4-a, the member role does not automatically include reader permissions. When creating Application Credentials for the dc4-a region, you must explicitly add both roles:
openstack application credential create \
--role reader \
--role member \
--description "Full access in dc4-a" \
my-app
Best Practices
Always verify the active region before interpreting IAM test results or executing operations.
-
Create and manage secure credentials for automated access to OpenStack services
-
Understand permissions and role-based access control for each OpenStack service