🎉 Ebbflow has launched! 🎊
Use coupon code LaunchParty to save 25% off of the base price!

Documentation / IAM


Ebbflow's IAM system is simple. It uses role-based access control to determine which authenticated identites can take which actions. There are some simple concepts involved:

  • Policy - A policy is an expression of allowing something, or disallowing something, in a special format. Policies effect Identities or Roles
  • Identity - Typically a Host or an SSH user, represented by the keys used to authenticate. As of now, there are two types of identities, Host Keys and SSH Keys
  • Role - A way to group multiple identities into a single entity. Policies can be applied to Roles to reduce complexity.

Policies are applied to either Roles or Identities. For an identity to take an action, it must have policies that expressly allow the action to take place on the targeted resource, AND there must not be any policies applied that forbid the action from being taken.

Quick Overview

As of now, Ebbflow's permissions apply to hosts trying to host endpoints/SSH, or SSH keys trying to SSH to things. Creating/editing Endpoints, updating IAM roles/policies/etc, and other Console actions have permissions granted fully to the root login for the account.
  • Hosting an Endpoint
    • The host key identity needs a policy allowing it to hosting::HostEndpoint the Endpoint resource
  • Hosting an SSH Target
    • The host key identity needs a policy allowing it to hosting::HostSshTarget the SSH target resource
  • SSHing to a target
    • The SSH key identity needs a policy allowing it to ssh::SshToTarget the SSH target resource


Policies are what dictate what actions can be taken by identities, on resources. For example, a Host Key identity may try to take the action of hosting:HostEndpoint on resource ern:ebb:hosting:ACCTID:endpoint/example.com. For this to be allowed, there must be a policy that allows this, and no policy that denies it.

Ebbflow provides Managed Policies that you can attach to your identities and roles. These typically provide general permissions for you to get started with. You can view these policies in the IAM console.

Writing Policies

Policies are written in .yaml and have three components: effect, action, and resource.

  • effect: (Allow or Deny) Does this policy grant the action on the resource, or deny it?
  • action: The name of the action in question
    • Actions are either Read or Write, and you can specify this general classification in your policies
  • resource: The entity that is effected by this action

Actions & Resources

In Ebbflow, the following actions exist, and have corresponding resources

Action Name Read/Write Description Resource
hosting:HostEndpoint Write The act of hosting an endpoint. The ebbflow client does this for its configured endpoints. This appleis to Host Key identities. The ern of an endpoint, e.g. ern:ebb:hosting:ACCOUNTID:endpoint/example.com
hosting:HostSshTarget Write The act of hosting an SSH target of the hostname ern. This applies to Host Key identities. The ern of an SSH target, e.g. ern:ebb:hosting:ACCOUNTID:sshtarget/my-hostname
ssh:SshToTarget Write SSH to a target host. This applies to SSH Key identities.
The ern of an SSH target, e.g. ern:ebb:hosting:ACCOUNTID:sshtarget/my-hostname

Currently, there is no API interface for Ebbflow and therefore only these actions exist.


Here are various examples of policies that you can adapt to suit your needs.
  • Allow Hosting of a single endpoint
    effect: Allow
    action: hosting:HostEndpoint
    resource: ern:ebb:hosting:ACCOUNTID:endpoint/example.com
  • Deny the hosting of any SSH target
    effect: Deny
    action: hosting:HostSshTarget
    resource: "*"
  • Allow all reads, deny all writes (two policies)

    NOTE: As of now, there are no Read APIs, but they may be added in the future

    effect: Allow
    action: Read
    resource: "*"
    effect: Deny
    action: Write
    resource: "*"

Identities and Roles

Identities have types, and as of now, there are two: Host Keys and SSH Keys. Host keys are used by the client to authenticate with Ebbflow, and are used for actions such as hosting:HostEndpoint and hosting::HostSshTarget.

SSH keys are uploaded by you. When you use Ebbflow as an SSH proxy, we authenticate your key, and then check that you have policies allowing you to take the action of ssh:SshToTarget on the target host, for example ern:ebb:hosting:ACCOUNTID:sshtarget/my-hostname.

Host keys are provisioned by using the ebbflow init command, or they can be created in the IAM Console, and then later provided to the client by executing ebbflow init -n with the EBB_KEY environment variable set. Please look at client documentation for more information on that.

Using IAM in Ebbflow

To modify IAM roles, policies, which identities have which policies, etc., use the IAM console page. You can attach and detach policies as you wish. If you have questions, please contact us.