feat(iam): auto-generated iam resources MTA-5431 (#4231)

ldecarvalho-doc · web-flow · commit bd8d83f3f62f · 2025-01-20T13:32:20.000+01:00
diff --git a/identity-and-access-management/iam/reference-content/assets/scaleway-iam-logs-k8s-example.webp b/identity-and-access-management/iam/reference-content/assets/scaleway-iam-logs-k8s-example.webp
diff --git a/identity-and-access-management/iam/reference-content/auto-generated-iam-resources.mdx b/identity-and-access-management/iam/reference-content/auto-generated-iam-resources.mdx
@@ -0,0 +1,37 @@
+---
+meta:
+  title: Auto-generated IAM resources
+  description: This page explains how and why Scaleway auto-generates some IAM resources.
+content:
+  h1: Auto-generated IAM resources
+  paragraph: This page explains how and why Scaleway auto-generates some IAM resources.
+tags: iam
+dates:
+  validation: 2025-01-16
+categories:
+  - iam
+---
+
+Sometimes Scaleway might automatically generate IAM resources, such as applications, groups and policies.
+
+This allows policies to be set up with specific product resources as principals. These policies are created by Scaleway and can be managed by users to ensure more the access management of resource permissions.
+
+Any time Scaleway automatically creates or deletes an IAM resource, you will see it on your IAM logs.
+
+<Lightbox src="scaleway-iam-logs-k8s-example.webp" alt="Image showing IAM logs in the Scaleway console. The first two lines show a policy and group that were automatically created for a Kubernetes Kapsule cluster, respectively. The third and fourth line show a group and a policy that were deleted. In all cases, the logs indicate that the actions were performed by Scaleway." />
+
+## Kubernetes Kapsule
+
+Currently, auto-generated IAM resources only occur in Kubernetes Kapsule when a [cluster is created](/containers/kubernetes/how-to/connect-cluster-kubectl).
+
+Whenever a cluster is created, automatically so are:
+    - An IAM group containing all the nodes in the cluster as IAM applications
+      <Message type="note">
+        The node IAM applications are not visible to users.
+      </Message>
+    - An IAM policy with default permission sets and the cluster group as a principal
+
+The default policy can be edited by users to grant the cluster group permission according to their use-cases.
+
+
+
diff --git a/menu/navigation.json b/menu/navigation.json
@@ -410,6 +410,10 @@
                   {
                     "label": "Reproducing roles and Project-scoped API keys with IAM",
                     "slug": "reproduce-roles-project-api-keys"
+                  },
+                  {
+                    "label": "Auto-generated IAM resources",
+                    "slug": "auto-generated-iam-resources"
                   }
                 ],
                 "label": "Additional Content",

Original file line number	Diff line number	Diff line change
`@@ -410,6 +410,10 @@`
`410`	`410`	`{`
`411`	`411`	`"label": "Reproducing roles and Project-scoped API keys with IAM",`
`412`	`412`	`"slug": "reproduce-roles-project-api-keys"`
	`413`	`+ },`
	`414`	`+ {`
	`415`	`+ "label": "Auto-generated IAM resources",`
	`416`	`+ "slug": "auto-generated-iam-resources"`
`413`	`417`	`}`
`414`	`418`	`],`
`415`	`419`	`"label": "Additional Content",`