Skip to content

Identity

This section focuses on identity management for Infomaniak Public Cloud, covering secure authentication methods and access control for both interactive and automated use cases.

Security Best Practice

Use Application Credentials for all automated access to improve security and auditability.

Start Here

Follow this path to configure access for your use case:

  1. Application Credentials — Create secure credentials for automated access
  2. Service Policies — Understand what each role can do per service
  3. Select the right role — Use the quick reference below

Access Control

Access is controlled through role-based permissions with project-level roles:

  • reader - Read-only access for monitoring and reporting
  • member - Full project management for automation and operations
  • load-balancer_member - Dedicated load balancer management access
  • load-balancer_observer - Read-only access to load balancer APIs and configurations
  • SwiftOperator - Full access to Swift object storage resources
  • creator - Secret and certificate management access
  • observer - Read-only access to secrets and containers in Barbican

Role Quick Reference

I need to... Recommended Role Details
Monitor resources, view logs, generate reports reader Read-only access to all project resources
Automate deployments, manage infrastructure (CI/CD) member Full project management for most services
Manage load balancers load-balancer_member Read/write access to Octavia load balancers
Monitor load balancers only load-balancer_observer Read-only access to Octavia
Manage object storage (Swift) SwiftOperator Full access to Swift object storage
Manage secrets and certificates (Barbican) creator Create and manage secrets/containers
Read secrets only (Barbican) observer Read-only access to Barbican secrets

Combining Roles

You can assign multiple roles to a single Application Credential for cross-service access. Examples:

# Full automation (Compute + Network + Storage)
openstack application credential create \
    --role reader \
    --role member \
    --description "CI/CD automation" \
    my-ci-cd-app

# Load balancer + monitoring
openstack application credential create \
    --role load-balancer_member \
    --role reader \
    --description "LB automation with monitoring" \
    my-lb-app

Role Selection by Service

Service Read-Only Full Management Special Role Required
Compute (Nova) reader member
Block Storage (Cinder) reader member
Network (Neutron) reader member BYOIP for advanced features
Image (Glance) reader member
Load Balancer (Octavia) load-balancer_observer load-balancer_member load-balancer_member
DNS (Designate) reader member
Orchestration (Heat) reader member
Billing (CloudKitty) reader member
Monitoring (Aodh) reader member
Key Management (Barbican) observer creator creator or observer

Need Granular Permissions?

For fine-grained, service-specific access (e.g., read-only access to just one service), use Access Rules instead of broad roles. This applies the principle of least privilege by restricting credentials to specific API endpoints and methods.

Region-Specific Role Behaviors

Different regions may have slightly different role behavior. Understanding these differences will help you create correct Application Credentials.

Region dc3-a

In region dc3-a, the reader role inherits permissions equivalent to the member role. Always verify the active region before interpreting IAM test results or executing operations.

Region dc4-a

In region dc4-a, the member role does not automatically include reader permissions. When creating Application Credentials for the dc4-a region, you must explicitly add both roles:

openstack application credential create \
    --role reader \
    --role member \
    --description "Full access in dc4-a" \
    my-app

Best Practices

Always verify the active region before interpreting IAM test results or executing operations.

  •   Application Credentials


    Create and manage secure credentials for automated access to OpenStack services

  •   Service Policies


    Understand permissions and role-based access control for each OpenStack service