Security
Uncloud provides multiple layers of security: SSH key management for VM access, API tokens for programmatic access, and IAM for role-based access control.SSH Keys
SSH keys are used for secure access to Droplets. Public keys are injected into VMs at creation time via cloud-init.Key Management
- Upload — Add your public key to Uncloud
- Fingerprint — Each key gets an MD5 fingerprint for identification
- Multi-key — Attach multiple SSH keys to a single Droplet
- Project-scoped — Keys are isolated per project
API Tokens
API tokens provide programmatic access to the Uncloud API. Tokens support scoped permissions for fine-grained access control.Token Features
- Hashed storage — Token values are hashed; the plain-text token is only shown once at creation
- Scopes — Restrict tokens to specific API operations
- Revocation — Instantly revoke compromised tokens
- Expiration — Set optional expiry dates
IAM (Identity & Access Management)
Uncloud includes an IAM system for managing users, roles, and groups.Users
IAM users represent individuals or service accounts that interact with the platform.Roles
Roles define a set of permissions. Assign roles to users or groups:| Permission | Description |
|---|---|
compute:* | Full access to Droplets |
apps:read | Read-only access to Apps |
databases:write | Create and manage databases |
storage:* | Full access to volumes and buckets |
admin:* | Full admin access |
Groups
Groups are collections of users. Assign roles to a group, and all members inherit those permissions.Network Security
- Project isolation — Resources in different projects cannot communicate by default
- Network policies — Cilium-based firewall rules at the pod level
- TLS everywhere — All external endpoints use HTTPS with auto-provisioned certificates
- Private networking — Resources communicate over private IPs within a project