About EIM Users

You can create users within your account for every person or service that needs to access all or part of your Cloud resources. This enables you to control access to your resources by setting credentials and permissions for each user.

General Information

An EIM user is an identity that represents a person or a service. This identity enables the corresponding person or service to interact with your OUTSCALE resources using their own credentials.

EIM users are created within your account and enable you to control which resources they can access and which actions they can perform depending on the permissions you grant them. For more information, see the Users and Permissions section below.

A user has the following attributes:

  • A user name: The common name that you specify for the user when creating it. This user name must be unique for your account.

  • A user ID: A unique identifier that is automatically created for the user.

  • An OUTSCALE Resource Name (ORN): A unique resource identifier for the user, which indicates where the resource is in the Cloud (service, account, resource type, and so on).

    3DS OUTSCALE uses ORNs to identify users, groups, and your resources in EIM policies.

You can also specify a path to indicate where the user is within your organization and use it as a filter when listing your users.

For more information, see Resource Identifiers.

Users Credentials

You can create several users within your account depending on your needs. These users belong to your account but authenticate to OUTSCALE services using their own access keys that you create and manage. You can create up to two access keys for each user in your account.

When you create an access key, the following information is returned:

  • The access key ID, that identifies the access key

  • The secret access key, that enables the user to sign requests

    For security reasons, the secret access key is only available when creating it. Save it carefully as you will not be able to retrieve it later.

    If you lose the secret access key, you can delete it and must create a new one for the user.

An access key can be in one of the following states:

  • Active: The access key is enabled. The user with which the access key is associated can use it to sign API requests.

  • Inactive: The access key is disabled. The user with which it is associated cannot use it to sign API requests.

You can modify the state of an access key at any time, or delete it if needed. For more information, see Modifying the State of an EIM Access Key or Deleting an EIM Access Key.

Users and Permissions

Newly created users have no permissions to perform any action on any of your resources. You need to give them permissions to perform specified actions on specified resources using inline or managed policies. For more information, see About Policies.

You can give individual permissions to a user, or organize your users in groups and give permissions to all the users that belong to this group. A single user can belong to several groups at the same time. For more information, see About EIM Groups.

For example, you can give administration permissions to some users, who can then manage all your ressources, and possibly manage permissions for other users and groups within your organization. You can also limit the permissions given to users strictly to the actions and resources they need for their job.

In Cockpit v1, the Read-only policy allows EIM users to access and read the root user’s credentials. You can prevent this by creating a custom policy instead. For more information, see Creating a Managed Policy.

Root User

The root user is the default EIM identity that is automatically created with an account. This root user has unrestricted permissions to all resources in the account, and can manage users and groups within it.

You cannot restrict the permissions for the root user.

We recommend that:

  • You do not use root user credentials for everyday access to your resources.

  • You do not share root user credentials with anyone.

You can for example create an EIM user for yourself with all administration permissions.

Related Pages