Skip to main content

OIDC and Roles

If you are using role-based access control, you can assign an OIDC principal roles to give them access to your Equinix infrastructure. Then when your OIDC principal performs a token exchange, use the roleassignments:<org-id> for the scope parameter. If the principal has role assignments in the organization the token exchange issues a bearer token.

Necessary permissions to assign and manage roles are either:

  • Role-based Access Control - The IAM Admin role.
  • Attribute-based Access Control - An Access Policy containing: use/createRoleAssignment, use/listRoleAssignments, use/getRoleAssignment, use/deleteRoleAssignment.

Available Roles

To list all roles, send a GET request to the /v1/roles endpoint.

Sample cURL Request:

curl -X GET 'https://access.eqix.equinix.com/v1/roles' \
-H 'Authorization: Bearer <token>'

To list the roles available in a particular project, send a GET request to the /v1/projects/{projectId}/roles endpoint. Sample cURL Request:

curl -X GET 'https://access.eqix.equinix.com/v1/projects/project:{projectId}/roles' \
-H 'Authorization: Bearer <token>'

The response contains the role's ID and assignment scope.

The assignmentScope.type field lists the possible assignment scopes allowed for that role from the following list: assignmentScopeType=PDS_ORG, assignmentScopeType=ORGANIZATION, assignmentScopeType=PROJECT, assignmentScopeType=BILLING_ACCOUNT, assignmentScopeType=SUBSCRIPTION_KEY, assignmentScopeType=PORT. The assignmentScope.id is the unique ID for that scope.

When you create a role assignment you need to specify the project ID and scope information.

Create a Role Assignment

To create a role assignment, send a POST request to the /v1/roleAssignments endpoint.

Sample cURL Request:

curl -X POST 'https://access.eqix.equinix.com/v1/roleAssignments' \
-H 'content-type: application/json' \
-H 'authorization: Bearer <token>' \
-d '{
  "principal": "<principal:principal_id>",
  "roleId": "<role:role_id>",
  "assignmentScope": {
    "id": "<role_assignment_scope_id>",
    "type": "<role_assignment_scope>"
  }
}'

List Role Assignments

To list all role assignments for an assignment scope type, send a GET request to the /v1/roleAssignments endpoint. Use the assignmentScopeId and assignmentScopeType query parameters to limit the response to the specified scope type.

Sample cURL Request:

curl -X GET 'https://access.eqix.equinix.com/v1/roleAssignments?assignmentScopeId=<assignment_scope_id>&assignmentScopeType=<assignment_scope_type>' \
-H 'Authorization: Bearer <token>'

Get a Role Assignment Details

To get the details of a specific role assignment, send a GET request to the /v1/roleAssignments/{roleAssignmentId} endpoint.

Sample cURL Request:

curl -X GET 'https://access.eqix.equinix.com/v1/roleAssignments/{roleassignment:roleAssignmentId}' \
-H 'Authorization: Bearer <token>'

Delete a Role Assignment

When you delete a role assignment the OIDC user loses access to the permissions granted by the role. To delete a role assignment, send a DELETE request to the /v1/roleAssignments/{roleAssignmentId} endpoint.

Sample cURL Request:

curl -X DELETE 'https://access.eqix.equinix.com/v1/roleAssignments/roleassignment:{roleAssignmentId}' \
-H 'Authorization: Bearer <token>'
Was this page helpful?