Skip to main content

Roles and permissions

To give users access to projects and services in your organizations, you grant them permissions and roles:

  • Permissions: Actions that a principal can perform on a resource or group of resources.
  • Roles: Sets of permissions that you can assign to a principal.

Principals are organization users, application users, and groups. You can grant access to principals at the project level. You can add users to services.

To grant access to resources at the organization level, you can make organization users super admin. Limit the number of users with this role as it gives unrestricted access to all organization resources including billing, admin, and all projects and services.

Project roles

You can grant the following roles for projects to principals.

Console nameAPI namePermissions
Adminadmin
  • Full access to the project and all of its services.
Developerdeveloper
  • Create databases.
  • View service connection information.
  • Remove Aiven for OpenSearch® indexes.
  • Create and change Aiven for Apache Kafka® topics.
  • Create and change Aiven for PostgreSQL® connection pools.
  • Create and change service database users.
Operatoroperator
  • View project audit log.
  • View project permissions.
  • Full access to all services in the project and their configuration.
Read onlyread_only
  • View all services and their configuration.
Maintain servicesrole:services:maintenance
  • Perform service maintenance updates.
  • Change maintenance windows.
  • Upgrade service versions.
Recover servicesrole:services:recover
  • Add and remove dynamic disk sizing and tiered storage.
  • Change service plans.
  • Fork services.
  • Promote read replicas.

Project admin do not have access to organization settings such as billing unless they are also a super admin.

Project and service permissions

important

Permissions are not yet fully supported in the Aiven Console. They are intended for use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes®.

You can grant the following permissions to principals. The actions listed for each permission apply to the project and all services within it.

Console nameAPI nameAllowed actions
View project audit logproject:audit_logs:read
  • View the log for the project.
  • View all services in the project.
View project integrationsproject:integrations:read
  • View all integration endpoints for a project.
Manage project integrationsproject:integrations:write
  • Add and remove integration endpoints.
  • Read and write integration secrets.
View project networkingproject:networking:read
  • View all project VPCs.
Manage project networkingproject:networking:write
  • Add, edit, and remove project VPCs.
View project permissionsproject:permissions:read
  • View all users granted permissions to a project.
View servicesproject:services:read
  • View all details for services in a project, except the service logs.
Manage servicesproject:services:write
  • Create and delete services.
  • Power on and off services.
  • Add and remove dynamic disk sizing and tiered storage.
  • Change service plans.
  • Change cloud regions.
  • Fork services.
Manage service configurationservice:configuration:write
  • Change clouds and regions.
  • Change deployment models.
  • Update IP allowlists.
  • Change the network configuration options.
  • Add and remove service tags.
  • Enable and disable termination protection.
  • Configure backup settings.
  • Add and remove service contacts.
Access dataservice:data:write
  • Perform service queries through the API and Console.
  • View query statistics and current queries.
  • Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes.
View service logsservice:logs:read
  • View logs for all services in the project.
Service logs may contain sensitive information.
View configuration secretsservice:secrets:read
  • Read service configuration secrets such as keys.
Manage service usersservice:users:write
  • Create and delete service users.
  • View and update connection information for services.