Skip to content

IAM Policies

Understand permissions and create secure Application Credentials for automated access to OpenStack services. Each service has specific permission patterns for reader, member, and service-specific roles (load-balancer_member, SwiftOperator, creator) to help you choose the right level of access.

Quick Start

Create Application Credentials

# Install OpenStack CLI
pip install python-openstackclient

# Authenticate with your user credentials
source openrc.sh

# Create reader credential (read-only access)
openstack application credential create \
    --role reader \
    --description "Monitoring and reporting" \
    my-reader-app

# Create member credential (full project management)
openstack application credential create \
    --role member \
    --description "CI/CD automation" \
    my-member-app

# Create load-balancer member credential (load balancer management)
openstack application credential create \
    --role load-balancer_member \
    --description "Load balancer automation" \
    my-lb-app

# Create SwiftOperator credential (object storage management)
openstack application credential create \
    --role SwiftOperator \
    --description "Object storage automation" \
    my-swift-app

# Create creator credential (secret and certificate management)
openstack application credential create \
    --role creator \
    --description "Secret and certificate automation" \
    my-secrets-app

Use Your Credentials

export OS_AUTH_TYPE=v3application_credential
export OS_AUTH_URL=https://api.pub1.infomaniak.cloud/identity/v3
export OS_APPLICATION_CREDENTIAL_ID="your-credential-id"
export OS_APPLICATION_CREDENTIAL_SECRET="your-credential-secret"

Save Your Credentials

The Application Credential secret is only shown once. Save it securely immediately.

Role Overview

Role Permissions Best For
reader Read-only access to project resources Monitoring, reporting, compliance
member Full project management capabilities Automation, CI/CD, operations
load-balancer_member Read and write access to load balancer APIs Load balancer automation
SwiftOperator Full access to Swift object storage resources in project Object storage management
creator Create and manage secrets and owned project resources Secret management, certificate automation

Region-Specific Behavior: member Role in dc4-a

In region dc4-a, the member role does not automatically include reader permissions. When creating Application Credentials for the dc4-a region, you must explicitly add both roles:

openstack application credential create \
    --role reader \
    --role member \
    --description "Full access in dc4-a" \
    my-app

Service Policies

  •   Nova - Compute Service

    Virtual machines, flavors, and server lifecycle management

  •   Cinder - Block Storage Service

    Volumes, snapshots, backups, and storage management

  •   Neutron - Networking Service

    Networks, subnets, routers, and security groups

  •   Glance - Image Service

    Operating system images, uploads, and sharing

  •   Octavia - Load Balancer Service

    Load balancers, listeners, pools, and health monitors

  •   Designate - DNS Service

    DNS zones, records, and domain management

  •   Heat - Orchestration Service

    Infrastructure as Code, templates, and stack management

  •   CloudKitty - Billing Service

    Cost tracking, usage reports, and billing information

  •   Aodh - Monitoring Service

    Alarms, thresholds, and monitoring automation

  •   Barbican - Key Management Service

    Secrets, certificates, and cryptographic key management

Next: Select a service above to view detailed permission matrices and usage examples for your Application Credentials.