IAM Overview
Cloudalus IAM (Identity and Access Management) lets you control which principals can perform which actions on your resources.
How it works
When someone tries to perform an action, Cloudalus evaluates two things before allowing it:
- Trust policy: do the trusts the caller relies on allow them to perform this action?
- Resource policy: does the resource (e.g. the database) allow the adopted identity to perform this action on that resource?
Both must allow the action. If either denies it, the request is rejected. Owners of a resource automatically pass the resource policy check, so as an owner you only need to worry about setting up trust policies for others.
Key concepts
Principals
A principal is the actor making the request. Principals take three forms:
- Users: people authenticated via the Cloudalus dashboard.
- Programmatic Identities: non-human actors used by applications, automation, and integrations.
- Unauthenticated: callers with no authenticated identity.
Access keys are credentials, not actors in their own right. An access key authenticates as a programmatic identity.
Resources
Resources are the things being acted upon. Current resource types include:
- Organisations (
org/<id>): your top-level container for resources and team members. - KvDB databases (
kvdb/<id>): your Redis-compatible databases. - Programmatic Identities: non-human identities for programmatic or automated access.
- Access Keys: credentials attached to programmatic identities.
- Organisation Users (
org_user/<id>): members of an organisation.
Policies
Trust policies are JSON documents attached to a trust between entities. Each trust policy defines what the trustee may do when acting via that trust. Resource policies are attached to resources and define which identities the resource accepts for which actions. Both use statements with an effect (Allow or Deny), a list of actions, and a list of resources or identities they apply to.