Understanding IAM in Vidos

Identity and Access Management (IAM) in Vidos establishes the foundation of security and access control throughout the platform. It defines who can access your resources, what actions they can perform, and under what conditions access is granted.

What is IAM in Vidos?

IAM in Vidos is a comprehensive security framework that governs how identities interact with services and resources. It brings together several essential concepts:

Identities and authentication — Who or what is making the request?
Permissions and authorization — What are they allowed to do?
Secure access patterns — How do they connect to resources?
Controlled resource boundaries — What can they access?

Through these integrated components, IAM creates a cohesive security model that spans all Vidos services while enforcing the principle of least privilege.

Core IAM components

IAM in Vidos is built on several interconnected components that work together to create a comprehensive security framework:

IAM scopes

IAM scopes establish distinct operational contexts that separate administrative operations from service functionality:

Management scope — Used for creating, configuring, and managing service instances
Service scope — Used for accessing the core functionality of service instances

This dual-scope architecture creates clear security boundaries and operational clarity while enforcing separation of concerns.

Policy documents

IAM policy documents define permissions through structured JSON objects with explicit statements about:

Who can access specific resources
What actions they can perform
Under what conditions access is granted or denied

These documents form the backbone of the permission system in Vidos, creating precise, auditable access rules.

API keys

API keys provide secure, credential-based access to Vidos services:

Each key has a unique identifier and secret
Keys operate within specific scopes (management or service)
Permissions are defined through attached policies
Keys establish identity for authentication and auditing

API keys represent the primary method for programmatic access to Vidos services.

Service roles

Service roles enable secure service-to-service communication:

Define permissions for one service to access another
Support both account-managed and Vidos-managed roles
Create clear security boundaries between services
Enable principle-of-least-privilege for service interactions

Service roles form the foundation of secure service composition in Vidos.

Service instance references

Service instance references connect services together:

Point to specific service instances
Include service role references for authentication
Enable flexible service composition
Support explicit instance selection or managed references

These references enable secure, controlled communication between services.

Security principles

The IAM architecture in Vidos implements several fundamental security principles:

Defense in depth

IAM implements multiple layers of security controls:

Network isolation between services
Authentication for all requests
Authorization for all operations
Scope separation for distinct contexts
Explicit allow/deny evaluation

Principle of least privilege

IAM enforces minimal necessary access through:

Explicit permission statements
Deny-by-default for all resources
Scope-limited operations
Fine-grained action control
Precise resource targeting

Separation of duties

IAM enables separation of responsibilities:

Management/service scope division
Distinct roles for different operations
Customizable policy documents
Purpose-specific API keys
Role-based access control

Secure service composition

IAM enables secure interactions between services:

Service roles with precise permissions
Instance references with explicit targeting
Clear security boundaries between services
Controlled authentication context
Auditable service connections

Regions — Geographic boundaries affecting resource access
Instances — Service instances controlled by IAM
Configurations — Service settings with IAM references