Heat Policies
Introduction
This document presents the permissions available for reader and member roles on the Heat service (orchestration) of Infomaniak Public Cloud, based on OpenStack default policies.
Context
Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role for infrastructure orchestration operations.
Legend
| Symbol | Meaning |
|---|---|
 |
Allowed - The policy explicitly permits this action |
 |
Forbidden - The policy explicitly denies this action |
 |
Conditional - Allowed based on project membership |
Stack Management
Basic Stack Operations
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List stacks | GET /v1/{tenant_id}/stacks |
stacks:index |
|
|
Project stacks |
| Show stack | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id} |
stacks:show |
|
|
Project ownership |
| Create stack | POST /v1/{tenant_id}/stacks |
stacks:create |
|
|
|
| Update stack | PUT /v1/{tenant_id}/stacks/{stack_name}/{stack_id} |
stacks:update |
|
|
Project ownership |
| Delete stack | DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id} |
stacks:delete |
|
|
Project ownership |
Stack Advanced Operations
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Abandon stack | DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon |
stacks:abandon |
|
|
Project ownership |
| Preview stack | POST /v1/{tenant_id}/stacks/preview |
stacks:preview |
|
|
Template validation |
| Get stack template | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template |
stacks:template |
|
|
Project ownership |
Stack Actions
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Check stack | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions |
actions:check |
|
|
Project ownership |
| Suspend stack | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions |
actions:suspend |
|
|
Project ownership |
| Resume stack | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions |
actions:resume |
|
|
Project ownership |
| Cancel update | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions |
actions:cancel_update |
|
|
Project ownership |
Stack Snapshots
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List snapshots | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots |
stacks:list_snapshots |
|
|
Project stack ownership |
| Show snapshot | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id} |
stacks:show_snapshot |
|
|
Project ownership |
| Create snapshot | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions |
actions:snapshot |
|
|
Project stack ownership |
| Restore snapshot | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore |
stacks:restore_snapshot |
|
|
Project ownership |
| Delete snapshot | DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id} |
stacks:delete_snapshot |
|
|
Project ownership |
Stack Outputs
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List outputs | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs |
stacks:list_outputs |
|
|
Project stack ownership |
| Show output | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key} |
stacks:show_output |
|
|
Project ownership |
Resource Management
Stack Resources
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List resources | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources |
resource:index |
|
|
Project stack ownership |
| Show resource | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name} |
resource:show |
|
|
Project ownership |
| Mark unhealthy | PATCH /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name} |
resource:mark_unhealthy |
|
|
Project ownership |
| Signal resource | POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal |
resource:signal |
|
|
Project ownership* |
| Resource metadata | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata |
resource:metadata |
|
|
Project ownership* |
*Also accessible by heat_stack_user role
Events Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List events | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events |
events:index |
|
|
Project stack ownership |
| Show event | GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id} |
events:show |
|
|
Project ownership |
Template Management
Template Operations
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Validate template | POST /v1/{tenant_id}/validate |
stacks:validate_template |
|
|
Template validation |
| List resource types | GET /v1/{tenant_id}/resource_types |
resource_types:index |
|
|
Available types |
| Show resource type | GET /v1/{tenant_id}/resource_types/{type_name} |
resource_types:show |
|
|
Type details |
| Resource type template | GET /v1/{tenant_id}/resource_types/{type_name}/template |
resource_types:template |
|
|
Template generation |
Software Configuration
Software Config Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List configs | GET /v1/{tenant_id}/software_configs |
software_configs:index |
|
|
Project configs |
| Show config | GET /v1/{tenant_id}/software_configs/{config_id} |
software_configs:show |
|
|
Project ownership |
| Create config | POST /v1/{tenant_id}/software_configs |
software_configs:create |
|
|
|
| Delete config | DELETE /v1/{tenant_id}/software_configs/{config_id} |
software_configs:delete |
|
|
Project ownership |
Software Deployment Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List deployments | GET /v1/{tenant_id}/software_deployments |
software_deployments:index |
|
|
Project deployments |
| Show deployment | GET /v1/{tenant_id}/software_deployments/{deployment_id} |
software_deployments:show |
|
|
Project ownership |
| Create deployment | POST /v1/{tenant_id}/software_deployments |
software_deployments:create |
|
|
|
| Update deployment | PUT /v1/{tenant_id}/software_deployments/{deployment_id} |
software_deployments:update |
|
|
Project ownership |
| Delete deployment | DELETE /v1/{tenant_id}/software_deployments/{deployment_id} |
software_deployments:delete |
|
|
Project ownership |
| Deployment metadata | GET /v1/{tenant_id}/software_deployments/metadata/{server_id} |
software_deployments:metadata |
|
|
Project ownership* |
*Also accessible by heat_stack_user role
CloudFormation Compatibility
AWS CloudFormation API
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Describe stacks | POST / |
cloudformation:DescribeStacks |
|
|
Project stacks |
| Create stack | POST / |
cloudformation:CreateStack |
|
|
|
| Update stack | POST / |
cloudformation:UpdateStack |
|
|
Project ownership |
| Delete stack | POST / |
cloudformation:DeleteStack |
|
|
Project ownership |
| Cancel update | POST / |
cloudformation:CancelUpdateStack |
|
|
Project ownership |
| Get template | POST / |
cloudformation:GetTemplate |
|
|
Project ownership |
| Validate template | POST / |
cloudformation:ValidateTemplate |
|
|
Template validation |
| Describe resources | POST / |
cloudformation:DescribeStackResources |
|
|
Project ownership |
| Describe events | POST / |
cloudformation:DescribeStackEvents |
|
|
Project ownership |
Capabilities Summary by Role
Granted permissions:
- View all project stacks and their details
- Access stack resources, events, and outputs
- Monitor stack snapshots and status
- View software configurations and deployments
- Validate templates and check resource types
- Check stack health status
- Access CloudFormation compatibility APIs (read-only)
Limitations:
- No stack creation or modification
- No stack lifecycle operations (suspend, resume, etc.)
- No snapshot management
- No software configuration creation
Granted permissions:
- All Reader capabilities
- Create, update, and delete stacks
- Perform stack lifecycle operations (suspend, resume, cancel)
- Manage stack snapshots (create, restore, delete)
- Create and manage software configurations
- Deploy and update software deployments
- Mark resources as unhealthy for replacement
- Full CloudFormation API compatibility
Limitations:
- Cannot access administrative resource types (quotas, flavors, etc.)
- Limited to project-scoped operations
- Cannot perform system-level orchestration operations
Usage Examples
Infrastructure Monitoring Application
Use case: Stack monitoring, resource tracking, compliance
Recommended role: reader
# Application Credential
role: reader
# Possible actions
- openstack stack list
- openstack stack show <stack-name>
- openstack stack resource list <stack-name>
- openstack stack event list <stack-name>
- openstack stack output list <stack-name>
Infrastructure Orchestration Application
Use case: CI/CD, infrastructure automation, deployment pipelines
Recommended role: member
# Application Credential
role: member
# Possible actions
- openstack stack create -t template.yaml --parameter key=value my-stack
- openstack stack update -t updated-template.yaml my-stack
- openstack stack snapshot create my-stack snapshot-name
- openstack stack action suspend my-stack
- openstack stack action resume my-stack
Configuration Management Integration
Use case: Software deployment automation, configuration drift detection
Recommended role: member
# Application Credential
role: member
# Configuration and deployment
- openstack software config create --config-file install-script.sh web-server-config
- openstack software deployment create --config <config-id> --server <server-id> web-deployment
- openstack stack resource mark unhealthy <stack-name> <resource-name> # Force replacement
- openstack stack check <stack-name> # Verify stack health
Context Variables
Policies use the following variables to determine authorizations:
| Variable | Description |
|---|---|
%(project_id)s |
Current user's project ID |
%(stack_id)s |
Target stack ID |
%(resource_name)s |
Target resource name |
%(config_id)s |
Software configuration ID |
%(deployment_id)s |
Software deployment ID |
Important Notes
Best Practices
- Principle of least privilege: Use the
readerrole for monitoring and read-only infrastructure operations - Template validation: Both roles can validate templates before deployment
- Stack lifecycle: Use member role for full orchestration capabilities
- Snapshot strategy: Regular snapshots before major updates (member role required)
- Resource health: Monitor and mark unhealthy resources for automatic replacement
- Project isolation: All operations are limited to project resources
Heat Specifics
- heat_stack_user: Special role used by Heat internally for stack operations, not for Application Credentials
- Resource types: Some advanced resource types require administrative privileges
- Stack user: Heat creates internal users for stack operations with limited scope
- Template complexity: Large templates may have deployment time limitations
- Resource dependencies: Heat automatically handles resource dependency ordering