Skip to main content

Overview

The Access & Security resources in the Dashboard cover three categories: Key Pairs for SSH access to instances, Security Groups for network-level firewall rules, and Application Credentials for non-interactive API authentication. All three are accessible under Project → Compute and Project → Network.
Prerequisites
  • member role in the active project
  • Key pair private keys must be saved at creation — they cannot be retrieved later

Key Pairs

SSH key pairs provide cryptographic authentication to instances. The public key is injected into the instance at launch; you connect using the corresponding private key.

Create a Key Pair

Open Key Pairs panel

Navigate to Project → Compute → Key Pairs and click Create Key Pair.

Name and generate

Enter a Key Pair Name (e.g., my-laptop-key). Select Key Type:
TypeAlgorithmUse Case
SSHRSA 2048 or Ed25519Standard SSH access
x509X.509 certificateCertificate-based workflows
Click Create Key Pair.

Save the private key

The browser automatically downloads a .pem file containing the private key.
Save the private key file immediately — it is shown only once and cannot be retrieved from the Dashboard or API. Loss of the private key means loss of SSH access to any instance using this key pair.
Set correct permissions on the key file:
Restrict key file permissions
chmod 600 ~/my-laptop-key.pem

Import an Existing Public Key

If you already have an SSH key pair, import just the public key:

Get your public key

Display your public key
cat ~/.ssh/id_ed25519.pub

Import into the Dashboard

In Key Pairs, click Import Public Key. Enter a name and paste the public key string. Click Import Key Pair.

Use a Key Pair

When launching an instance, select the key pair in the Key Pair tab of the Launch Instance wizard. Then connect via SSH:
Connect to instance via SSH
ssh -i ~/my-laptop-key.pem ubuntu@<floating-ip>

Security Groups

Security groups are virtual firewalls applied to instance network ports. Rules are stateful — return traffic for allowed connections is automatically permitted.

Default Security Group

Every project has a default security group that:
  • Allows all egress (outbound) traffic
  • Allows all ingress from instances in the same default group
  • Blocks all other ingress by default

Create a Security Group

Create the group

Navigate to Project → Network → Security Groups and click Create Security Group. Enter a name and description.

Add ingress rules

Click Manage RulesAdd Rule:
RulePortRemoteUse Case
SSH22/TCPYour IP CIDRAdmin SSH access
HTTP80/TCP0.0.0.0/0Public web server
HTTPS443/TCP0.0.0.0/0Public HTTPS
Custom TCP5432/TCPApp security groupDatabase access
All ICMP0.0.0.0/0Ping/traceroute
Use a security group as the Remote instead of a CIDR range when the source IPs are dynamic (e.g., allow all instances in the app-tier group to access the db-tier group on port 5432).

Assign to instances

Apply security groups at launch (Security Groups tab in Launch Instance wizard) or after launch via Actions → Edit Security Groups on the instance.

Common Security Group Patterns

DirectionProtocolPortRemote
IngressTCP22Admin CIDR
IngressTCP800.0.0.0/0
IngressTCP4430.0.0.0/0
EgressAllAll0.0.0.0/0
DirectionProtocolPortRemote
IngressTCP3306app-tier security group
IngressTCP22Admin CIDR
EgressAllAll0.0.0.0/0
DirectionProtocolPortRemote
IngressTCP220.0.0.0/0 (or corporate CIDR)
EgressAllAll0.0.0.0/0

Application Credentials

Application credentials allow scripts, CI/CD pipelines, and automation tools to authenticate to the API without using your personal password or MFA.

Create Application Credentials

Open Application Credentials

Navigate to Identity → Application Credentials and click Create Application Credential.

Configure the credential

FieldDescription
NameDescriptive name (e.g., terraform-prod, ci-backup-job)
DescriptionOptional
SecretLeave blank to auto-generate a secure secret
Expiration Date/TimeOptional — set for temporary credentials
RolesRestrict to a subset of your roles (optional)
UnrestrictedAllow creating/deleting further app credentials (use with caution)

Save the credential

After creation, the Dashboard displays the ID and Secret. Download the clouds.yaml snippet:
clouds.yaml (application credential)
clouds:
  xloud:
    auth:
      auth_url: https://identity.<your-domain>/v3
      application_credential_id: "<ID>"
      application_credential_secret: "<SECRET>"
    region_name: "RegionOne"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"
The secret is shown only once. Copy it immediately — it cannot be retrieved after closing the dialog.

Next Steps

Identity & Access Management

Users, roles, projects, and multi-factor authentication

Application Credentials

Detailed guide to scoped application credentials and token exchange

Security Groups (Networking)

Advanced security group rules for compute instances

Multi-Factor Auth

Add TOTP-based MFA to your account