diff --git a/pages/iam/reference-content/permission-sets.mdx b/pages/iam/reference-content/permission-sets.mdx index dd8326ef64..9abf18af0e 100644 --- a/pages/iam/reference-content/permission-sets.mdx +++ b/pages/iam/reference-content/permission-sets.mdx @@ -48,44 +48,56 @@ Below is a list of the permission sets available at Scaleway. ## Scoped by Project +### Permission sets for several / all Products + | Permission set | Description | | :--------------------------: | :-----------------------------------------------------------------------------------: | | AllProductsFullAccess | Full access to create, read, list, edit and delete all resources (products) | | AllProductsReadOnly | Read access to list and read info for all resources (products) | | SSHKeysReadOnly | Read access to SSH keys | | SSHKeysFullAccess | Full access to SSH keys | -| AppleSiliconReadOnly | List and read access to Apple silicon | -| AppleSiliconFullAccess | Full access to create, read, list, edit and delete Apple silicon. | -| ElasticMetalReadOnly | List and read access to Elastic Metal | -| ElasticMetalFullAccess | Full access to create, read, list, edit and delete Elastic Metal | + +### Compute + +#### CPU & GPU Instances + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | InstancesFullAccess | Full access to create, read, list, edit and delete Instances | | InstancesReadOnly | List and read access to Instances | -| KafkaClusterReadOnly | List and read access to Kafka Cluster | -| KafkaClusterFullAccess | Full access to Kafka Cluster | -| KubernetesReadOnly | List and read access to Kubernetes | -| KubernetesFullAccess | Full access to create, read, list, edit and delete Kubernetes | -| KubernetesExternalNodeRegister | Attach external nodes to a Kosmos cluster | -| KubernetesSystemMastersGroupAccess | Gives the Kubernetes system:masters role to perform any action on the cluster | +| InstancesServerStart | Allows starting Instance servers | +| InstancesServerStop | Allows stopping Instance servers | + +### Bare Metal + +#### Elastic Metal + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| ElasticMetalReadOnly | List and read access to Elastic Metal | +| ElasticMetalFullAccess | Full access to create, read, list, edit and delete Elastic Metal | + +#### Apple silicon + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| AppleSiliconReadOnly | List and read access to Apple silicon | +| AppleSiliconFullAccess | Full access to create, read, list, edit and delete Apple silicon. | + +#### Dedibox + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | DediboxReadOnly | List and read access to Dedibox | | DediboxFullAccess | Full access to create, read, list, edit and delete Dedibox | -| GenerativeApisModelAccess | Access to Generative APIs models. | -| GenerativeApisFullAccess | Full access to Generative APIs. | -| InferenceReadOnly | Read access to Inference deployments | -| InferenceFullAccess | Full access to Inference deployments | -| ContainersReadOnly | List and read access to Containers | -| ContainersFullAccess | Full access to create, read, list, edit and delete to Containers | -| FunctionsReadOnly | List and read access to Functions | -| FunctionsFullAccess | Full access to create, read, list, edit and delete Functions | -| MessagingAndQueuingReadOnly | List and read access to Messaging | -| MessagingAndQueuingFullAccess | Full access to create, read, list, edit and delete Messaging | -| ServerlessJobsFullAccess | Full access to create, read, list, edit and delete job definition/run | -| ServerlessJobsReadOnly | List and read access to job definition/run | -| ServerlessSQLDatabaseReadOnly| List and read access to Serverless SQL Database | -| ServerlessSQLDatabaseReadWrite| List, read and write access to Serverless SQL Database. Includes data and table structure edition. Does not include permissions to create databases or edit settings | -| ServerlessSQLDatabaseDataReadWrite| Read, write, edit and delete data in Serverless SQL Database tables. Does not include data and table structure edition, creation of databases or settings edition | -| ServerlessSQLDatabaseFullAccess| Full access to create, read, list, edit and delete Serverless SQL Database | -| RelationalDatabasesReadOnly | List and read access to Managed Database for PostgreSQL and MySQL | -| RelationalDatabasesFullAccess| Full access to create, read, list, edit and delete Managed Database for PostgreSQL and MySQL | +| DediboxConsoleFullAccess | Access to Dedibox Console. Use this permission set only if a member needs access to Dedibox Console | + +### Storage + +#### Object Storage + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | ObjectStorageReadOnly | List and read access to Object Storage | | ObjectStorageFullAccess | Full access to create, read, list, edit and delete Object Storage | | ObjectStorageObjectsRead | Read access to objects, tags, metadata, and storage class | @@ -94,30 +106,247 @@ Below is a list of the permission sets available at Scaleway. | ObjectStorageObjectsDelete | Access to delete objects | | ObjectStorageBucketsWrite | Access to create and edit buckets, bucket configuration including lifecycle rules | | ObjectStorageBucketsDelete | Access to delete buckets | -| RedisReadOnly | List and read access to Managed Database for Redis™ | -| RedisFullAccess | Full access to create, read, list, edit and delete Managed Database for Redis™ | +| ObjectStorageBucketPolicyFullAccess | Full access to object storage bucket policies | + + +#### Block Storage + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| BlockStorageReadOnly | List and read access to Block Storage | +| BlockStorageFullAccess | Full access to create, read, list, edit and delete in Block Storage | + + +#### File Storage + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| FileStorageReadOnly | Read access to File Storage | +| FileStorageFullAccess | Full access to File Storage | + + + +#### Container Registry + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| ContainerRegistryReadOnly | List and read access to Container Registry | +| ContainerRegistryFullAccess | Full access to create, read, list, edit and delete Container Registry | + +### Network + +#### VPC + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | PrivateNetworksFullAccess | Full access to create, read, list, edit and delete Private Networks | | PrivateNetworksReadOnly | Read access to Private Networks | -| VPCGatewayReadOnly | List and read access to Public Gateways | -| VPCGatewayFullAccess | Full access to create, read, list, edit and delete Public Gateways | | VPCFullAccess | Full access to VPC | | VPCReadOnly | Read access to VPC | -| AutoscalingFullAccess | Full access to autoscaling | -| AutoscalingReadOnly | Read access to autoscaling | -| EdgeServicesFullAccess | Full access to Edge Services | -| EdgeServicesReadOnly | Read access to Edge Services | + +#### IPAM + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | IPAMFullAccess | Full access to IPAM | | IPAMReadOnly | Read access to IPAM | + +#### Public Gateways + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| VPCGatewayReadOnly | List and read access to Public Gateways | +| VPCGatewayFullAccess | Full access to create, read, list, edit and delete Public Gateways | + +#### InterLink + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| InterlinkFullAccess | Full access to Interlink | +| InterlinkReadOnly | Read access to Interlink | +| InterlinkPartnerReadOnly | Read access to Interlink Partner | +| InterlinkPartnerFullAccess | Full access to Interlink Partner | + +#### Site-to-Site VPN + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| SiteToSiteVPNReadOnly | Read access to Site-to-Site VPN | +| SiteToSiteVPNFullAccess | Full access to Site-to-Site VPN | + +#### Load Balancers + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | LoadBalancersReadOnly | List and read access to Load Balancer | | LoadBalancersFullAccess | Full access to create, read, list, edit and delete Load Balancer | -| DomainsDNSReadOnly | List and read access to Domains and DNS | -| DomainsDNSFullAccess | Full access to create, read, list, edit and delete Domains and DNS | + +#### Edge Services + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| EdgeServicesFullAccess | Full access to Edge Services | +| EdgeServicesReadOnly | Read access to Edge Services | + +### Containers + +#### Kubernetes + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| KubernetesReadOnly | List and read access to Kubernetes | +| KubernetesFullAccess | Full access to create, read, list, edit and delete Kubernetes | +| KubernetesExternalNodeRegister | Attach external nodes to a Kosmos cluster | +| KubernetesSystemMastersGroupAccess | Gives the Kubernetes system:masters role to perform any action on the cluster | + +#### Container Registry + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | ContainerRegistryReadOnly | List and read access to Container Registry | | ContainerRegistryFullAccess | Full access to create, read, list, edit and delete Container Registry | + +### Serverless Compute + +#### Functions + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| FunctionsReadOnly | List and read access to Functions | +| FunctionsFullAccess | Full access to create, read, list, edit and delete Functions | +| FunctionsPrivateAccess | Call private functions | + +#### Containers + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| ContainersReadOnly | List and read access to Containers | +| ContainersFullAccess | Full access to create, read, list, edit and delete to Containers | +| ContainersPrivateAccess | Call private containers | + + +#### Jobs + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| ServerlessJobsFullAccess | Full access to create, read, list, edit and delete job definition/run | +| ServerlessJobsReadOnly | List and read access to job definition/run | + +### Databases + +#### PostgreSQL & MySQL + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| RelationalDatabasesReadOnly | List and read access to Managed Database for PostgreSQL and MySQL | +| RelationalDatabasesFullAccess| Full access to create, read, list, edit and delete Managed Database for PostgreSQL and MySQL | + +#### ServerlessSQL + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| ServerlessSQLDatabaseReadOnly| List and read access to Serverless SQL Database | +| ServerlessSQLDatabaseReadWrite| List, read and write access to Serverless SQL Database. Includes data and table structure edition. Does not include permissions to create databases or edit settings | +| ServerlessSQLDatabaseDataReadWrite| Read, write, edit and delete data in Serverless SQL Database tables. Does not include data and table structure edition, creation of databases or settings edition | +| ServerlessSQLDatabaseFullAccess| Full access to create, read, list, edit and delete Serverless SQL Database | + +#### Redis™ + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| RedisReadOnly | List and read access to Managed Database for Redis™ | +| RedisFullAccess | Full access to create, read, list, edit and delete Managed Database for Redis™ | + +#### MongoDB® + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| MongoDBReadOnly | Read access to MongoDB databases | +| MongoDBFullAccess | Full access to MongoDB databases | + +#### OpenSearch + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| SearchDBReadOnly | Read access to SearchDB services | +| SearchDBFullAccess | Full access to SearchDB services | + +### AI + +#### Generative APIs + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| GenerativeApisModelAccess | Access to Generative APIs models. | +| GenerativeApisFullAccess | Full access to Generative APIs. | + +#### Managed Inference + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| InferenceReadOnly | Read access to Inference deployments | +| InferenceFullAccess | Full access to Inference deployments | + +### Data & Analytics + +#### Clickhouse® + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| InferenceReadOnly | Read access to Inference deployments | +| InferenceFullAccess | Full access to Inference deployments | + +#### Data Lab + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| DataWarehouseReadOnly | Read access to Datawarehouse service | +| DataWarehouseFullAccess | Full access to Data Warehouse service | + +#### Apache Kafka® + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| KafkaClusterReadOnly | List and read access to Kafka Cluster | +| KafkaClusterFullAccess | Full access to Kafka Cluster | + +### Integration Services + +#### Queues + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| MessagingAndQueuingReadOnly | List and read access to Messaging | +| MessagingAndQueuingFullAccess | Full access to create, read, list, edit and delete Messaging | + + +#### IoT Hub + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | IoTReadOnly | List and read access to IoT Hub | | IoTFullAccess | Full access to create, read, list, edit and delete IoT Hub | -| ObservabilityReadOnly | List and read access to Observability | -| ObservabilityFullAccess | Full access to create, read, list, edit and delete Observability | + +### Domains & Web Hosting + +#### Domains & DNS + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| DomainsDNSReadOnly | List and read access to Domains and DNS | +| DomainsDNSFullAccess | Full access to create, read, list, edit and delete Domains and DNS | + +#### Web Hosting + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| WebHostingReadOnly | List and read access to Web Hosting | +| WebHostingFullAccess | Full access to create, read, list, edit and delete Web Hosting | + +#### Transactional Emails + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | TransactionalEmailReadOnly | List and read access to Transactional Email | | TransactionalEmailFullAccess | Full access to create, read, list, edit and delete Transactional Email | | TransactionalEmailBlocklistFullAccess | Full access to blocklists in Transactional Email. | @@ -132,18 +361,57 @@ Below is a list of the permission sets available at Scaleway. | TransactionalEmailProjectSettingsReadOnly | Read access to Project settings in Transactional Email | | TransactionalEmailEmailSmtpCreate | Permission to create emails via SMTP | | TransactionalEmailEmailApiCreate | Permission to create emails via the API | -| WebHostingReadOnly | List and read access to Web Hosting | -| WebHostingFullAccess | Full access to create, read, list, edit and delete Web Hosting | +| TransactionalEmailOfferSubscriptionReadOnly | Read access to project offer subscriptions in transactional email | +| TransactionalEmailOfferSubscriptionFullAccess | Full access to project offer subscriptions in transactional email | +| TransactionalEmailPoolReadOnly | Read access to project pool in transactional email | + +### Monitoring + +#### Cockpit + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| ObservabilityReadOnly | List and read access to Observability | +| ObservabilityFullAccess | Full access to create, read, list, edit and delete Observability | + + +### Security & Identity + +#### Secret Manager + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | SecretManagerReadOnly | List and read secrets' metadata (name, tags, creation date, etc.). Does not include permissions for data (versions) accessing or editing | | SecretManagerFullAccess | Full access to create, read, list, edit, access, and delete secrets and their versions in Secret Manager | | SecretManagerSecretAccess | Read access to versions' data in Secret Manager. Does not include permissions for data editing | | SecretManagerSecretCreate | Permission to create secrets and their versions in Secret Manager. Does not include permission to update secrets and versions | -| SecretManagerSecretDelete | Permission to delete secrets and their versions in Secret Manager | +| SecretManagerSecretDelete | Permission to delete secrets and their versions in Secret Manager | | SecretManagerSecretWrite | Permission to edit the metadata (name, tags, description, etc.) of secrets and their versions in Secret Manager. Does not include permission to create secrets and versions | -| BlockStorageReadOnly | List and read access to Block Storage | -| BlockStorageFullAccess | Full access to create, read, list, edit and delete in Block Storage | +| SecretManagerSecretRestore | Restore permission on Secret Manager secrets and their versions | + +#### Key Manager + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | | KeyManagerFullAccess | Full access to create, read, list, edit and delete in Key Manager | | KeyManagerReadOnly | List and read access to Key Manager | +| KeyManagerKeyWrite | Write permission to key manager. Does not include creation and deletion permission on keys | +| KeyManagerKeyDecrypt | Decrypt permission to key manager | +| KeyManagerKeyEncrypt | Encrypt permission to key manager | +| KeyManagerKeySign | Sign permission to key manager | +| KeyManagerKeyVerify | Verify permission to key manager | +| KeyManagerKeyDelete | Delete permission to key manager | +| KeyManagerKeyCreate | Create permission to key manager | +| KeyManagerKeyRestore | Restore permission to key manager | + +### Labs + +#### Quantum + +| Permission set | Description | +| :--------------------------: | :-----------------------------------------------------------------------------------: | +| QaaSFullAccess | Full access to Quantum as a Service | +| QaaSReadOnly | Read access to Quantum as a Service | Some additional permission sets may appear on your Scaleway console if you are enrolled in beta testing for products or features.