Skip to main content

OIDC and Access Policies

If you are using attribute-based access control, you can grant an OIDC principal an access policy to give them access to your Equinix infrastructure. Then when your OIDC principal performs a token exchange, provide the ERN of the access policy for the scope parameter. If the principal has a grant, the token exchange issues a bearer token.

Necessary permissions to manage grants and Access Policies are either:

  • Role-based Access Control - The IAM Admin role.
  • Attribute-based Access Control - An Access Policy containing: use/listAccessPolicies, use/addGrant, use/listGrants, use/removeGrant.
Limited Availability

Attribute-based Access Control is currently offered under Limited Availability (LA) status. Access is restricted to a controlled set of customers and use cases. Features may be incomplete, subject to change, and could contain defects. Operational safeguards and capacity limits apply. By using this API, you acknowledge that:

  • It is intended for early access and feedback purposes only.
  • Availability may be limited by region, segment, or capacity constraints.
  • Functionality, performance, and stability are not guaranteed at this stage.
  • Documentation and support resources may be evolving.
  • Feedback provided during this phase will inform improvements prior to General Availability (GA).

View Access Policies

To view the existing access policies for a project, send a GET request to the /v1/projects/{projectId}/accessPolicies endpoint. When you add a grant to an access policy, you must supply the access policy ID in your request.

Sample cURL Request:

curl -X GET 'https://access.eqix.equinix.com/v1/projects/{projectId}/accessPolicies' \
-H 'Authorization: Bearer <token>'

Add a Grant

To add a grant to an Access Policy, send a POST request to the /v1/projects/{projectId}/accessPolicies/{accessPolicyId}/grants endpoint. Specify:

  • the project and the access policy ID in the path of the request.

  • Your OIDC principal that you are granting access to in the grantee object in one of the following formats:

    • principal:<projectId>:<idp>:<subject> for a user or service.
    • group:<projectId>:<idp>:<groupName> for a group.
    • project:<projectId> for another project to export this access policy to another project.

Sample cURL Request:

curl -X POST 'https://access.eqix.equinix.com/v1/projects/{projectId}/accessPolicies/{accessPolicyId}/grants' \
-H 'content-type: application/json' \
-H 'authorization: Bearer <token>' \
-d '{
  "grantee": "principal:<projectId>:<idp>:<subject>"
}'

List Grants

To see which OIDC principals have been granted a specific access policy, get the list of grants. Send a GET request to the /v1/projects/{projectId}/accessPolicies/{accessPolicyId}/grants endpoint.

Sample cURL Request:

curl -X GET 'https://access.eqix.equinix.com/v1/projects/{projectId}/accessPolicies/{accessPolicyId}/grants' \
-H 'Authorization: Bearer <token>'

Remove a Grant

When you remove a grant the OIDC principal loses access to the permissions granted by the access policy. To remove a grant, send a DELETE request to the /v1/projects/{projectId}/accessPolicies/{accessPolicyId}/grants/{grantId} endpoint.

Sample cURL Request:

curl -X DELETE 'https://access.eqix.equinix.com/v1/projects/{projectId}/accessPolicies/{accessPolicyId}/grants/{grantId}' \
-H 'Authorization: Bearer <token>'
Was this page helpful?