Default IAM policies
Thalassa Cloud ships a set of built-in policies for access control. Each policy defines which API resources a principal may access and which actions they may perform. The same policies are available as organisation roles and as system IAM policies inside projects.
Policy naming
Built-in policies follow a <service>:<Access> naming pattern:
| Pattern | Meaning | Examples |
|---|---|---|
<service>:ReadAccess | Read and list only | iam:ReadAccess, dns:ReadAccess, kms:ReadAccess |
<service>:FullAccess | Full CRUD on that service’s resources | dns:FullAccess, secrets:FullAccess, kms:FullAccess |
<service>:<Action> | A single cryptographic or operational action | kms:Encrypt, kms:Decrypt, kms:Rotate |
The service prefix identifies the product area (iam, k8s, iaas, dns, kms, secrets, dbaas, etc.). The Access suffix describes the permission level or action.
Older built-in policies may still use legacy names (for example k8s-admin, iaas-devops, or FullAdminAccess instead of FullAccess). These are being aligned to the <service>:<Access> convention over time. The slug (used in API paths and bindings) remains a stable kebab-case identifier regardless of display-name changes — for example iam:ReadAccess has slug iam-read-access.
Custom policies you create must not use a system: prefix. Use your own descriptive names.
How defaults work
- Default policies are platform-managed. They are marked read-only and cannot be renamed, deleted, or have their rules changed.
- The platform keeps defaults in sync with the templates defined in the product. New policies may be added over time; existing rules may be updated to match new services.
- The organisation owner is automatically bound to the
admin:allpolicy (adminslug) as an organisation role. - You can create custom IAM policies and custom organisation roles alongside the defaults.
Permission types
Policies grant one or more of the following actions on each resource type:
| Permission | Meaning |
|---|---|
create | Create new resources |
read | Read a single resource |
list | List or search resources |
update | Modify existing resources |
delete | Delete or disable resources |
* | All standard actions on the matched resources |
push / pull | Push to or pull from a container registry |
encrypt / decrypt | Encrypt or decrypt data with a KMS key |
sign / verify | Sign or verify data with a KMS key |
hmac / verify-hmac | Generate or verify an HMAC with a KMS key |
rotate / export | Rotate or export a KMS key |
getSecretValue / putSecretValue | Read or write secret payload data |
When a rule lists specific resource types with an empty resource-identity list, it applies to all instances of those types in scope.
Global policies
These policies span the entire platform API surface.
| Policy name | Slug | Permissions | Description |
|---|---|---|---|
admin:all | admin | All actions on all resources (*) | Full administrative access. Assigned automatically to the organisation owner. |
user:read | user | read, list on all resources | Read-only access across the organisation or project. |
Organisation management
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
org:admin | org-admin | Full CRUD | Organisation settings, members, invites, roles, quotas, teams, notifications, billing (invoices, credits, budgets, savings plans, contracts), addresses, SSH keys, service accounts, federated identities, OIDC clients, audit logs, personal access tokens, access credentials, cloud-init templates, projects |
org:auditor | org-auditor | read, list | Same organisation resources as org:admin (excluding write-only financial actions such as mandate management) |
org:financial | org-financial | All actions (*) | Organisation profile, quotas, notifications, addresses, invoices, contracts, mandates, credits, budgets, savings plans |
Identity and access management
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
iam:ReadAccess | iam-read-access | read, list | Organisation roles, role permissions, role bindings, service accounts, service-account credentials, federated identities, identity providers, audit logs, projects |
iam:FullAccess | iam-full-admin-access | Full CRUD | Same as iam:ReadAccess, plus organisation cloud-init templates |
The
iam:FullAccesspolicy is currently stored asiam:FullAdminAccessin the platform; the slugiam-full-admin-accessis unchanged.
Kubernetes
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
k8s:admin | k8s-admin | Full CRUD | Clusters, node pools, machines, version streams, versions, API proxy, kubeconfig download & sessions, cluster roles, bindings, and permissions |
kubernetes:AdminClusterAccess | kubernetes-admin-cluster-access | Full CRUD on clusters, node pools, machines, API proxy; read/list on cluster roles; kubeconfig download | Operational cluster management without full role-administration write access |
kubernetes:AllowKubeConfigDownload | kubernetes-kubeconfig-download | read, list, create on kubeconfig download & API proxy; read, list on kubeconfig sessions | Download cluster credentials only |
k8s:developer | k8s-developer | create, read, update, list (no delete) | Clusters, node pools, machines |
k8s:auditor | k8s-auditor | read, list | All Kubernetes resources |
k8s:ReadAccess | k8s-read-access | read, list | All Kubernetes resources |
k8s:FullAccess | k8s-full-admin-access | Full CRUD | All Kubernetes resources |
k8s:FullAccessis currently stored ask8s:FullAdminAccess; slugk8s-full-admin-accessis unchanged. Legacy names such ask8s:adminwill be aligned to the<service>:<Access>pattern over time.
Infrastructure (IaaS)
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
iaas:admin | iaas-admin | Full CRUD; registry includes push/pull | Cloud regions, VPCs, subnets, routes, peering, VPN/NAT gateways, load balancers, VMs, volumes, snapshots, security groups, machine images/types, TFS, and container registry |
iaas:devops | iaas-devops | Full CRUD on compute & networking; registry includes push/pull | VPCs, endpoints, firewall rules, subnets, NAT gateways, reserved IPs, load balancers, VMs, volumes, security groups, snapshots, container registry |
iaas:developer | iaas-developer | create, read, update, list (no delete) | Virtual machines and persistent volumes |
iaas:auditor | iaas-auditor | read, list; registry pull | Full IaaS resource set and container registry |
iaas:ReadAccess | iaas-read-access | read, list | Full IaaS resource set (excluding TFS and container registry) |
iaas:FullAccess | iaas-full-admin-access | Full CRUD | Full IaaS resource set (excluding TFS and container registry) |
iaas:FullAccessis currently stored asiaas:FullAdminAccess; slugiaas-full-admin-accessis unchanged.
Terraform state (TFS)
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
tfs:ReadAccess | tfs-read-access | read, list | Terraform state backends |
tfs:FullAccess | tfs-full-admin-access | Full CRUD | Terraform state backends |
tfs:FullAccessis currently stored astfs:FullAdminAccess; slugtfs-full-admin-accessis unchanged.
Container registry
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
registry:admin | registry-admin | Full CRUD + push/pull | Registries, namespaces, namespace configuration, repositories |
registry:developer | registry-developer | read, list, push, pull | Namespaces and repositories |
registry:viewer | registry-viewer | read, list, pull | Registries, namespaces, configuration, repositories |
registry:ReadAccess | registry-read-access | read, list, pull | Registries, namespaces, configuration, repositories |
registry:FullAccess | registry-full-admin-access | Full CRUD + push/pull | Registries, namespaces, configuration, repositories |
registry:FullAccessis currently stored asregistry:FullAdminAccess; slugregistry-full-admin-accessis unchanged.
Database as a service (DBaaS)
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
dbaas:admin | dbaas-admin | Full CRUD | DB clusters, backup schedules, backups, instance types |
dbaas:devops | dbaas-devops | Full CRUD | DB clusters, backup schedules, backups |
dbaas:auditor | dbaas-auditor | read, list | DB clusters, backup schedules, backups, instance types |
dbaas:ReadAccess | dbaas-read-access | read, list | DB object stores, clusters, backups, instance types; read-only VPCs and subnets |
dbaas:FullAccess | dbaas-full-admin-access | Full CRUD on DB resources; read/list on VPCs and subnets | DB object stores, clusters, backups, instance types |
dbaas:FullAccessis currently stored asdbaas:FullAdminAccess; slugdbaas-full-admin-accessis unchanged.
Object storage
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
storage:admin | storage-admin | Full CRUD | Object storage buckets |
storage:developer | storage-developer | create, read, update, list | Object storage buckets |
storage:auditor | storage-auditor | read, list | Object storage buckets |
objectstorage:ReadAccess | objectstorage-read-access | read, list | Object storage buckets |
objectstorage:FullAccess | objectstorage-full-admin-access | Full CRUD | Object storage buckets |
objectstorage:FullAccessis currently stored asobjectstorage:FullAdminAccess; slugobjectstorage-full-admin-accessis unchanged.
Key management (KMS)
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
kms:ReadAccess | kms-read-access | read, list | KMS keys |
kms:FullAccess | kms-full-admin-access | Full CRUD | KMS keys |
kms:Encrypt | kms-encrypt | encrypt | KMS keys |
kms:Decrypt | kms-decrypt | decrypt | KMS keys |
kms:Sign | kms-sign | sign | KMS keys |
kms:Verify | kms-verify | verify | KMS keys |
kms:HMAC | kms-hmac | hmac | KMS keys |
kms:VerifyHMAC | kms-verify-hmac | verify-hmac | KMS keys |
kms:Rotate | kms-rotate | rotate | KMS keys |
kms:Export | kms-export | export | KMS keys |
KMS roles require the
kmsfeature gate on your organisation.
Secrets Manager
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
secrets:ReadAccess | secrets-read-access | read, list | Secret metadata and versions |
secrets:FullAccess | secrets-full-access | Full CRUD + getSecretValue, putSecretValue | Secrets at allowed paths |
DNS
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
dns:ReadAccess | dns-read-access | read, list | DNS zones and records |
dns:FullAccess | dns-full-access | Full CRUD | DNS zones and records |
Observability (Prometheus)
Prometheus policies use a <service>:<component>:<access> variant because the service exposes multiple APIs.
| Policy name | Slug | Permissions | Resources |
|---|---|---|---|
prometheus:full-access | prometheus-full-access | Full CRUD | Remote write, query, Alertmanager, ruler |
prometheus:read-only | prometheus-read-only | read, list | Remote write, query, Alertmanager, ruler |
prometheus:remote-write:full-access | prometheus-remote-write-full-access | Full CRUD | Remote write API |
prometheus:query:full-access | prometheus-query-full-access | Full CRUD | Query API |
prometheus:query:read-only | prometheus-query-read-only | read, list | Query API |
prometheus:alertmanager:full-access | prometheus-alertmanager-full-access | Full CRUD | Alertmanager |
prometheus:alertmanager:read-only | prometheus-alertmanager-read-only | read, list | Alertmanager |
prometheus:ruler:full-access | prometheus-ruler-full-access | Full CRUD | Recording and alerting rules |
prometheus:ruler:read-only | prometheus-ruler-read-only | read, list | Recording and alerting rules |
Related documentation
- Organisation roles — Comparison, migration, and assigning policies
- Permission rules — Custom policies and bindings
- KMS access control — KMS-specific permission guidance
- Secrets Manager access control — Path-scoped secret permissions