IAM Policies
Identity and Access Management (IAM) policies in ionscale control who can access a tailnet and what administrative permissions they have.
OIDC required
IAM policies are only relevant when an OIDC provider is configured. If your ionscale instance isn't using OIDC, access to tailnets is managed solely through auth keys.
Understanding IAM policies
IAM policies determine:
- Which users can join a tailnet
- What roles and permissions users have within the tailnet
- How access decisions are made based on user attributes
An IAM policy consists of:
{
"subs": ["auth0|123456789"],
"filters": ["domain == example.com"],
"emails": ["specific-user@otherdomain.com"],
"roles": {
"admin@example.com": "admin"
}
}
IAM policy components
Subs
The subs list provides direct access based on user IDs (subjects):
Any user whose ID matches an entry in this list will be granted access to the tailnet. User IDs are typically provided by the OIDC provider and are unique identifiers for each user.
Emails
The emails list provides direct access to specific email addresses:
Any user with an email in this list will be granted access to the tailnet, regardless of filters.
Filters
Filters are expressions that evaluate user attributes:
These expressions determine if a user can access the tailnet based on their identity attributes. Users matching any filter expression will be granted access.
Roles
The roles map assigns specific roles to users:
"roles": {
"admin@example.com": "admin",
"devops@example.com": "admin",
"developer@example.com": "member"
}
Available roles:
- admin: Can manage tailnet settings, ACLs, and auth keys
- member: Standard access to use the tailnet (default)
Managing IAM policies
View and update IAM policies using the ionscale CLI:
# View current IAM policy
ionscale iam get-policy --tailnet "my-tailnet"
# Update IAM policy using a JSON file
ionscale iam update-policy --tailnet "my-tailnet" --file policy.json
Common IAM patterns
Domain-based tailnet
Grant access to everyone with the same email domain:
{
"filters": ["domain == example.com"],
"roles": {
"admin1@example.com": "admin",
"admin2@example.com": "admin"
}
}
Personal tailnet
Create a tailnet for individual use:
Setting IAM during tailnet creation
You can set basic IAM policies during tailnet creation with CLI flags:
# Allow all users with an @example.com email address
ionscale tailnet create --name "shared-tailnet" --domain "example.com"
# Allow only a specific user
ionscale tailnet create --name "personal-tailnet" --email "user@example.com"
These shortcuts create appropriate filter rules or email entries in the IAM policy.
IAM policy evaluation
When a user attempts to access a tailnet, the following checks occur:
- Is the user's ID in the
subslist? If yes, grant access. - Is the user's email in the
emailslist? If yes, grant access. - Does the user match any expression in the
filterslist? If yes, grant access. - If none of these conditions are met, access is denied.
For role determination:
- Check if the user has an entry in the
rolesmap - If yes, assign that role
- If no, assign the default
memberrole
Security considerations
- Principle of least privilege: Start with minimal access and add users or filters as needed
- Regular audits: Periodically review IAM policies to ensure only appropriate users have access
- Admin roles: Limit admin roles to trusted users who need to manage tailnet settings
Troubleshooting access issues
If a user is having trouble accessing a tailnet:
- Verify the user's email is correct and matches their OIDC identity
- Check filter expressions to ensure they match the user's attributes
- Verify the user is authenticating against the correct ionscale instance
- Check OIDC provider configuration and token issuance