/snap/lxd/35210/share/lxd-documentation/explanation/authorization/ Current File: //snap/lxd/35210/share/lxd-documentation/explanation/authorization/index.html
<!doctype html>
<html class="no-js" lang="en" data-content_root="../../">
  <head><meta charset="utf-8"/>
    <meta name="viewport" content="width=device-width,initial-scale=1"/>
    <meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta property="og:title" content="Remote API authorization" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://documentation.ubuntu.com/lxd/latest/explanation/authorization/" />
<meta property="og:site_name" content="LXD documentation" />
<meta property="og:description" content="When LXD is exposed over the network it is possible to restrict API access via two mechanisms: Restricted TLS certificates, Fine-grained authorization. Restricted TLS certificates: It is possible t..." />
<meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/tag.png" />
<meta property="og:image:alt" content="LXD documentation" />
<meta name="description" content="When LXD is exposed over the network it is possible to restrict API access via two mechanisms: Restricted TLS certificates, Fine-grained authorization. Restricted TLS certificates: It is possible t..." />
<link rel="index" title="Index" href="../../genindex/" /><link rel="search" title="Search" href="../../search/" /><link rel="next" title="Instances grouping with projects" href="../projects/" /><link rel="prev" title="Remote API authentication" href="../../authentication/" />
        <link rel="canonical" href="https://documentation.ubuntu.com/lxd/explanation/authorization/" />

    <link rel="shortcut icon" href="../../_static/favicon.ico"/><!-- Generated with Sphinx 8.2.3 and Furo 2025.07.19 -->
        <title>Remote API authorization</title>
      <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=d111a655" />
    <link rel="stylesheet" type="text/css" href="../../_static/styles/furo.css?v=25af2a20" />
    <link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
    <link rel="stylesheet" type="text/css" href="../../_static/youtube.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/related-links.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/terminal-output.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/config-options.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/sphinx-design.min.css?v=95c83b7e" />
    <link rel="stylesheet" type="text/css" href="../../_static/styles/furo-extensions.css?v=8dab3a3b" />
    <link rel="stylesheet" type="text/css" href="../../_static/custom.css?v=66d86e9d" />
    <link rel="stylesheet" type="text/css" href="../../_static/header.css?v=84f70f09" />
    <link rel="stylesheet" type="text/css" href="../../_static/github_issue_links.css?v=af88fb93" />
    <link rel="stylesheet" type="text/css" href="../../_static/furo_colors.css?v=c4ccdb8a" />
    <link rel="stylesheet" type="text/css" href="../../_static/footer.css?v=bd05fc90" />
    <link rel="stylesheet" type="text/css" href="../../_static/cookie-banner.css?v=b74831ab" />
    
</head>
  <body>
    <header id="header" class="p-navigation">
  <script type="module" src="../../_static/js/bundle.js">
  </script>

  <!-- Google Tag Manager -->
  <script>
    (function(w, d, s, l, i) {
      w[l] = w[l] || [];
      w[l].push({
        'gtm.start': new Date().getTime(),
        event: 'gtm.js'
      });
      var f = d.getElementsByTagName(s)[0];
      var j = d.createElement(s);
      var dl = '';
      if (l != 'dataLayer') {
          dl = '&l=' + l;
      }
      j.async = true;
      j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
      f.parentNode.insertBefore(j, f);
    })(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC');
  </script>
  
  <div class="p-navigation__nav" role="menubar">

    <ul class="p-navigation__links" role="menu">

      <li>
        <a class="p-logo" href="https://canonical.com/lxd" aria-current="page">
          <img src="../../_static/tag.png" alt="Logo" class="p-logo-image">
          <div class="p-logo-text p-heading--4">LXD
          </div>
        </a>
      </li>

      <li class="nav-ubuntu-com">
        <a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a>
      </li>

      <li>
        <a href="#" class="p-navigation__link nav-more-links">More resources</a>
        <ul class="more-links-dropdown">

          <li>
            <a href="https://ubuntu.com/lxd/install/" class="p-navigation__sub-link p-dropdown__link">Install LXD</a>
          </li>

          <li>
            <a href="https://ubuntu.com/lxd/manage/" class="p-navigation__sub-link p-dropdown__link">Manage LXD</a>
          </li>

          <li>
            <a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Forum</a>
          </li>

          <li>
            <a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a>
          </li>

        </ul>
      </li>

    </ul>
  </div>
</header>
   
    <script>
      document.body.dataset.theme = localStorage.getItem("theme") || "auto";
    </script>
    

<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
  <symbol id="svg-toc" viewBox="0 0 24 24">
    <title>Contents</title>
    <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024">
      <path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/>
    </svg>
  </symbol>
  <symbol id="svg-menu" viewBox="0 0 24 24">
    <title>Menu</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu">
      <line x1="3" y1="12" x2="21" y2="12"></line>
      <line x1="3" y1="6" x2="21" y2="6"></line>
      <line x1="3" y1="18" x2="21" y2="18"></line>
    </svg>
  </symbol>
  <symbol id="svg-arrow-right" viewBox="0 0 24 24">
    <title>Expand</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right">
      <polyline points="9 18 15 12 9 6"></polyline>
    </svg>
  </symbol>
  <symbol id="svg-sun" viewBox="0 0 24 24">
    <title>Light mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun">
      <circle cx="12" cy="12" r="5"></circle>
      <line x1="12" y1="1" x2="12" y2="3"></line>
      <line x1="12" y1="21" x2="12" y2="23"></line>
      <line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
      <line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
      <line x1="1" y1="12" x2="3" y2="12"></line>
      <line x1="21" y1="12" x2="23" y2="12"></line>
      <line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
      <line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
    </svg>
  </symbol>
  <symbol id="svg-moon" viewBox="0 0 24 24">
    <title>Dark mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon">
      <path stroke="none" d="M0 0h24v24H0z" fill="none" />
      <path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" />
    </svg>
  </symbol>
  <symbol id="svg-sun-with-moon" viewBox="0 0 24 24">
    <title>Auto light/dark, in light mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
      class="icon-custom-derived-from-feather-sun-and-tabler-moon">
      <path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/>
      <line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/>
      <line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/>
      <line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/>
      <line x1="19" y1="14.05" x2="20.414" y2="15.464"/>
      <line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/>
      <line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/>
      <line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/>
      <line x1="19" y1="5.05" x2="20.414" y2="3.636"/>
      <circle cx="14.5" cy="9.55" r="3.6"/>
    </svg>
  </symbol>
  <symbol id="svg-moon-with-sun" viewBox="0 0 24 24">
    <title>Auto light/dark, in dark mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
      class="icon-custom-derived-from-feather-sun-and-tabler-moon">
      <path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/>
      <line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/>
      <line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/>
      <line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/>
      <line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/>
      <line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/>
      <line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/>
      <line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/>
      <line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/>
      <circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/>
    </svg>
  </symbol>
  <symbol id="svg-pencil" viewBox="0 0 24 24">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code">
      <path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" />
      <path d="M13.5 6.5l4 4" />
      <path d="M20 21l2 -2l-2 -2" />
      <path d="M17 17l-2 2l2 2" />
    </svg>
  </symbol>
  <symbol id="svg-eye" viewBox="0 0 24 24">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code">
      <path stroke="none" d="M0 0h24v24H0z" fill="none" />
      <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
      <path
        d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" />
      <path d="M20 21l2 -2l-2 -2" />
      <path d="M17 17l-2 2l2 2" />
    </svg>
  </symbol>
</svg>

<input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation">
<input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc">
<label class="overlay sidebar-overlay" for="__navigation">
  <div class="visually-hidden">Hide navigation sidebar</div>
</label>
<label class="overlay toc-overlay" for="__toc">
  <div class="visually-hidden">Hide table of contents sidebar</div>
</label>

<a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a>



<div class="page">
  <header class="mobile-header">
    <div class="header-left">
      <label class="nav-overlay-icon" for="__navigation">
        <div class="visually-hidden">Toggle site navigation sidebar</div>
        <i class="icon"><svg><use href="#svg-menu"></use></svg></i>
      </label>
    </div>
    <div class="header-center">
      <a href="../../"><div class="brand">LXD</div></a>
    </div>
    <div class="header-right">
      <div class="theme-toggle-container theme-toggle-header">
        <button class="theme-toggle">
          <div class="visually-hidden">Toggle Light / Dark / Auto color theme</div>
          <svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
          <svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
          <svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
          <svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
        </button>
      </div>
      <label class="toc-overlay-icon toc-header-icon" for="__toc">
        <div class="visually-hidden">Toggle table of contents sidebar</div>
        <i class="icon"><svg><use href="#svg-toc"></use></svg></i>
      </label>
    </div>
  </header>
  <aside class="sidebar-drawer">
    <div class="sidebar-container">
      
      <div class="sidebar-sticky"><a class="sidebar-brand" href="../../">
  
  
</a><form class="sidebar-search-container" method="get" action="../../search/" role="search">
    <input class="sidebar-search" placeholder="Search" name="q" aria-label="Search">
    <input type="submit" value="Go">
    <input type="hidden" name="check_keywords" value="yes">
    <input type="hidden" name="area" value="default">
  </form>
  <div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree">
  <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../">LXD</a></li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../tutorial/">Tutorials</a><input class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><div class="visually-hidden">Toggle navigation of Tutorials</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../tutorial/first_steps/">First steps with LXD</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../tutorial/ui/">Getting started with the UI</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../howto/">How-to guides</a><input class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><div class="visually-hidden">Toggle navigation of How-to guides</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../getting_started/">Getting started</a><input class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><div class="visually-hidden">Toggle navigation of Getting started</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../installing/">Install LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/initialize/">Initialize LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/access_ui/">Access the UI</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/access_documentation/">Access documentation locally</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../operation/">LXD server and client</a><input class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><div class="visually-hidden">Toggle navigation of LXD server and client</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/server_expose/">Expose LXD to the network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/server_configure/">Configure the LXD server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_auth0/">Configure OIDC authentication with Auth0</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_ory/">Configure OIDC authentication with Ory Hydra</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_keycloak/">Configure OIDC authentication with Keycloak</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_entra_id/">Configure OIDC authentication with Microsoft Entra ID</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../remotes/">Add remote servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/lxc_alias/">Add command aliases</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../instances/">Instances</a><input class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><div class="visually-hidden">Toggle navigation of Instances</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_create/">Create instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_configure/">Configure instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_manage/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../profiles/">Use profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_troubleshoot/">Troubleshoot errors</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_access_files/">Access files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_console/">Access the console</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../instance-exec/">Run commands</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../cloud-init/">Use cloud-init</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_routed_nic_vm/">Add a routed NIC to a VM</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_backup/">Back up instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_migrate/">Migrate instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/import_machines_to_instances/">Import existing machines</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../images/">Images</a><input class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><div class="visually-hidden">Toggle navigation of Images</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_remote/">Use remote images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_manage/">Manage images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_profiles/">Associate profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_copy/">Copy and import images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_create/">Create images</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../projects/">Projects</a><input class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><div class="visually-hidden">Toggle navigation of Projects</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/projects_create/">Create and configure</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/projects_work/">Work with projects</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/projects_confine/">Confine users to projects</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../storage/">Storage</a><input class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><div class="visually-hidden">Toggle navigation of Storage</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_pools/">Manage pools</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_volumes/">Manage volumes</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_buckets/">Manage buckets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_create_instance/">Create an instance in a pool</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_backup_volume/">Back up a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_move_volume/">Move or copy a volume</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../networks/">Networking</a><input class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><div class="visually-hidden">Toggle navigation of Networking</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_create/">Create a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_configure/">Configure a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bgp/">Configure as BGP server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_acls/">Configure network ACLs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_forwards/">Configure forwards</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_zones/">Configure network zones</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bridge_resolved/">Integrate with resolved</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_ovn_setup/">Set up OVN</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_load_balancers/">Configure load balancers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_ovn_peers/">Configure peer routing</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_ipam/">Display IPAM information</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../clustering/">Clustering</a><input class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><div class="visually-hidden">Toggle navigation of Clustering</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_form/">Form a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_manage/">Manage a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_config_networks/">Configure networks</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_config_storage/">Configure storage</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_manage_instance/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_groups/">Set up cluster groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_recover/">Recover a cluster</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../production-setup/">Production setup</a><input class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><div class="visually-hidden">Toggle navigation of Production setup</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/benchmark_performance/">Benchmark performance</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_increase_bandwidth/">Increase bandwidth</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../metrics/">Monitor metrics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/logs_loki/">Send logs to Loki</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/grafana/">Set up Grafana</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../backup/">Back up a server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/disaster_recovery/">Recover instances</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../howto/snap/">Manage the snap</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../howto/troubleshoot/">Troubleshooting</a><input class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><div class="visually-hidden">Toggle navigation of Troubleshooting</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_troubleshoot/">Troubleshoot instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/dqlite_troubleshoot/">Troubleshoot Dqlite</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../debugging/">Debug LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../faq/">Frequently asked</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../support/">Get support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../contributing/">Contribute to LXD</a></li>
</ul>
</li>
<li class="toctree-l1 current has-children"><a class="reference internal" href="../">Explanation</a><input checked="" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><div class="visually-hidden">Toggle navigation of Explanation</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../instances/">Containers and VMs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../image-handling/">Local and remote images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../storage/">Storage pools, volumes, and buckets</a></li>
<li class="toctree-l2"><a class="reference internal" href="../networks/">Networking setups</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../database/">The LXD Dqlite database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../authentication/">Remote API authentication</a></li>
<li class="toctree-l2 current current-page"><a class="current reference internal" href="#">Remote API authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../projects/">Instances grouping with projects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../clusters/">Clusters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../performance_tuning/">Performance tuning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../security/">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bpf/">Privilege delegation using BPF Token</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../reference/">Reference</a><input class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><div class="visually-hidden">Toggle navigation of Reference</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../requirements/">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../architectures/">Architectures</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/releases-snap/">Releases and snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/remote_image_servers/">Remote image servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/image_format/">Image format</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../guest-os-compatibility/">Guest OS compatibility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../container-environment/">Container environment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../config-options/">Configuration option index</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../server/">Server configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../instance_config/">Instance configuration</a><input class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><div class="visually-hidden">Toggle navigation of Instance configuration</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_properties/">Instance properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_options/">Instance options</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../../reference/devices/">Devices</a><input class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><div class="visually-hidden">Toggle navigation of Devices</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../../reference/standard_devices/">Standard devices</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_units/">Units for storage and network limits</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/projects/">Project configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/storage_drivers/">Storage drivers</a><input class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><div class="visually-hidden">Toggle navigation of Storage drivers</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/networks/">Networks</a><input class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><div class="visually-hidden">Toggle navigation of Networks</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_bridge/">Bridge network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_ovn/">OVN network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_macvlan/">Macvlan network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_physical/">Physical network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_sriov/">SR-IOV network</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/cluster_member_config/">Cluster configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/server_settings/">Production server settings</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/provided_metrics/">Provided metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/permissions/">Permissions</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../restapi_landing/">REST API</a><input class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><div class="visually-hidden">Toggle navigation of REST API</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../rest-api/">Main API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api/">Main API specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api-extensions/">Main API extensions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../events/">Events API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../dev-lxd/">Instance API</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/manpages/">Man pages</a><input class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><div class="visually-hidden">Toggle navigation of Man pages</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../internals/">Internals</a><input class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><div class="visually-hidden">Toggle navigation of Internals</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../environment/">Environment variables</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/uefi_variables/">UEFI variables for VMs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../daemon-behavior/">Daemon behavior</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../syscall-interception/">System call interception</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../userns-idmap/">User namespace setup</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/ovn-internals/">OVN implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/vm_live_migration_internals/">VM live migration implementation</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li>
<li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li>
</ul>
</li>
</ul>

</div>
</div>

      </div>
      
    </div>
  </aside>
  <div class="main">
    <div class="content">
      <div class="article-container">
        <a href="#" class="back-to-top muted-link">
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
            <path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path>
          </svg>
          <span>Back to top</span>
        </a>
        <div class="content-icon-container">
          <div class="view-this-page">
  <a class="muted-link" href="../../_sources/explanation/authorization.md.txt" title="View this page">
    <svg><use href="#svg-eye"></use></svg>
    <span class="visually-hidden">View this page</span>
  </a>
</div>
<div class="theme-toggle-container theme-toggle-content">
            <button class="theme-toggle">
              <div class="visually-hidden">Toggle Light / Dark / Auto color theme</div>
              <svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
              <svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
              <svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
              <svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
            </button>
          </div>
          <label class="toc-overlay-icon toc-content-icon" for="__toc">
            <div class="visually-hidden">Toggle table of contents sidebar</div>
            <i class="icon"><svg><use href="#svg-toc"></use></svg></i>
          </label>
        </div>
        <article role="main" id="furo-main-content">
          <section id="remote-api-authorization">
<span id="authorization"></span><h1>Remote API authorization<a class="headerlink" href="#remote-api-authorization" title="Link to this heading">¶</a></h1>
<p>When LXD is <a class="reference internal" href="../../howto/server_expose/#server-expose"><span class="std std-ref">exposed over the network</span></a> it is possible to restrict API access via two mechanisms:</p>
<ul class="simple">
<li><p><a class="reference internal" href="#restricted-tls-certs"><span class="std std-ref">Restricted TLS certificates</span></a></p></li>
<li><p><a class="reference internal" href="#fine-grained-authorization"><span class="std std-ref">Fine-grained authorization</span></a></p></li>
</ul>
<section id="restricted-tls-certificates">
<span id="restricted-tls-certs"></span><h2>Restricted TLS certificates<a class="headerlink" href="#restricted-tls-certificates" title="Link to this heading">¶</a></h2>
<p>It is possible to restrict a <a class="reference internal" href="../../authentication/#authentication-trusted-clients"><span class="std std-ref">TLS client</span></a> to one or multiple projects.
In this case, the client will also be prevented from performing global configuration changes or altering the configuration (limits, restrictions) of the projects it’s allowed access to.</p>
<p>To restrict access, use <a class="reference internal" href="../../reference/manpages/lxc/config/trust/edit/#lxc-config-trust-edit-md"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">config</span> <span class="pre">trust</span> <span class="pre">edit</span> <span class="pre">&lt;fingerprint&gt;</span></code></span></a>.
Set the <code class="docutils literal notranslate"><span class="pre">restricted</span></code> key to <code class="docutils literal notranslate"><span class="pre">true</span></code> and specify a list of projects to restrict the client to.
If the list of projects is empty, the client will not be allowed access to any of them.</p>
</section>
<section id="fine-grained-authorization">
<span id="id1"></span><h2>Fine-grained authorization<a class="headerlink" href="#fine-grained-authorization" title="Link to this heading">¶</a></h2>
<p>It is possible to restrict <a class="reference internal" href="../../authentication/#authentication-openid"><span class="std std-ref">OIDC clients</span></a> and fine-grained TLS identities to granular actions on specific LXD resources.
For example, one could restrict a user to be able to view, but not edit, a single instance.</p>
<p>There are four key concepts that LXD uses to manage these fine-grained permissions:</p>
<ul class="simple">
<li><p><strong>Entitlements</strong>: An entitlement encapsulates an action that can be taken against a LXD API resource type.
Some entitlements might apply to many resource types, whereas other entitlements can only apply to a single resource type.
For example, the entitlement <code class="docutils literal notranslate"><span class="pre">can_view</span></code> is available for all resource types, but the entitlement <code class="docutils literal notranslate"><span class="pre">can_exec</span></code> is only available for LXD resources of type <code class="docutils literal notranslate"><span class="pre">instance</span></code>.</p></li>
<li><p><strong>Permissions</strong>: A permission is the application of an entitlement to a particular LXD resource.
For example, given the entitlement <code class="docutils literal notranslate"><span class="pre">can_exec</span></code> that is only defined for instances, a permission is the combination of <code class="docutils literal notranslate"><span class="pre">can_exec</span></code> and a single instance, as uniquely defined by its API URL (for example, <code class="docutils literal notranslate"><span class="pre">/1.0/instances/c1?project=foo</span></code>).</p></li>
<li><p><strong>Identities (users)</strong>: An identity is any authenticated party that makes requests to LXD, including TLS clients.
When an OIDC client adds a LXD server as a remote, the OIDC client is saved in LXD as an identity.
Permissions cannot be assigned to identities directly.</p></li>
<li><p><strong>Groups</strong>: A group is a collection of one or more identities.
Identities can belong to one or more groups.
Permissions can be assigned to groups.
TLS clients cannot currently be assigned to groups.</p></li>
</ul>
<section id="explore-permissions">
<span id="permissions"></span><h3>Explore permissions<a class="headerlink" href="#explore-permissions" title="Link to this heading">¶</a></h3>
<p>To discover available permissions that can be assigned to a group, or view permissions that are currently assigned, run the following command:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth permission list --max-entitlements 0
</pre></div>
</div>
<p>The entity type column displays the LXD API resource type, this value is required when adding a permission to a group.</p>
<p>The URL column displays the URL of the LXD API resource.</p>
<p>The entitlements column displays all available entitlements for that entity type.
If any groups are already assigned permissions on the API resource at the displayed URL, they are listed alongside the entitlements that they have been granted.</p>
<p>Some useful permissions at a glance:</p>
<ul class="simple">
<li><p>The <code class="docutils literal notranslate"><span class="pre">admin</span></code> entitlement on entity type <code class="docutils literal notranslate"><span class="pre">server</span></code> gives full access to LXD.
This is equivalent to an unrestricted TLS client or Unix socket access.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">project_manager</span></code> entitlement on entity type <code class="docutils literal notranslate"><span class="pre">server</span></code> grants access to create, edit, and delete projects, and all resources belonging to those projects.
However, this permission does not allow access to server configuration, storage pool configuration, or certificate/identity management.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">operator</span></code> entitlement on entity type <code class="docutils literal notranslate"><span class="pre">project</span></code> grants access to create, edit, and delete all resources belonging to the project against which the permission is granted.
Members of a group with this permission will not be able to edit the project configuration itself.
This is equivalent to a restricted TLS client with access to the same project.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">user</span></code> entitlement on entity type <code class="docutils literal notranslate"><span class="pre">instance</span></code> grants access to view an instance, pull/push files, get a console, and begin a terminal session.
Members of a group with this entitlement cannot edit the instance configuration.</p></li>
</ul>
<p>For a full list, see <a class="reference internal" href="../../reference/permissions/#permissions-reference"><span class="std std-ref">Permissions</span></a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Due to a limitation in the LXD client, if <code class="docutils literal notranslate"><span class="pre">can_exec</span></code> is granted to a group for a particular instance, members of the group will not be able to start a terminal session unless <code class="docutils literal notranslate"><span class="pre">can_view_events</span></code> is additionally granted for the parent project of the instance.
We are working to resolve this.</p>
</div>
</section>
<section id="explore-identities">
<span id="identities"></span><h3>Explore identities<a class="headerlink" href="#explore-identities" title="Link to this heading">¶</a></h3>
<p>To discover available identities that can be assigned to a group, or view identities that are currently assigned, run the following command:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth identity list
</pre></div>
</div>
<p>The authentication method column displays the method by which the client authenticates with LXD.</p>
<p>The type column displays the type of identity.
Identity types are a superset of TLS certificate types and additionally include OIDC clients.</p>
<p>The name column displays the name of the identity.
For TLS clients, this will be the name of the certificate.
For OIDC clients this will be the name of the client as given by the <abbr title="identity provider">IdP</abbr> (requested via the <a class="reference external" href="https://openid.net/specs/openid-connect-basic-1_0.html#Scopes">profile scope</a>).</p>
<p>The identifier column displays a unique identifier for the identity within that authentication method.
For TLS clients, this will be the certificate fingerprint.
For OIDC clients, this will be the email address of the client.</p>
<p>The groups column displays any groups that are currently assigned to the identity.
Groups cannot currently be assigned to TLS clients.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>OIDC clients will only be displayed in the list of identities once they have authenticated with LXD.</p>
</div>
</section>
<section id="manage-permissions">
<span id="id2"></span><h3>Manage permissions<a class="headerlink" href="#manage-permissions" title="Link to this heading">¶</a></h3>
<p>In LXD, identities cannot be granted permissions directly. Instead, identities are added to groups, and groups are granted permissions.
To create a group, run:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth group create &lt;group_name&gt;
</pre></div>
</div>
<p>To add an identity to a group, run:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth identity group add &lt;authentication_method&gt;/&lt;identifier&gt; &lt;group_name&gt;
</pre></div>
</div>
<p>For example, for OIDC clients:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth identity group add oidc/&lt;email_address&gt; &lt;group_name&gt;
</pre></div>
</div>
<p>The identity is now a member of the group. To add permissions to the group, run:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth group permission add &lt;group_name&gt; &lt;entity_type&gt; [&lt;entity_name&gt;] &lt;entitlement&gt; [&lt;key&gt;=&lt;value&gt;...]
</pre></div>
</div>
<p>Here are some examples:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">auth</span> <span class="pre">group</span> <span class="pre">permission</span> <span class="pre">add</span> <span class="pre">administrator</span> <span class="pre">server</span> <span class="pre">admin</span></code> grants members of <code class="docutils literal notranslate"><span class="pre">administrator</span></code> the <code class="docutils literal notranslate"><span class="pre">admin</span></code> entitlement on <code class="docutils literal notranslate"><span class="pre">server</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">auth</span> <span class="pre">group</span> <span class="pre">permission</span> <span class="pre">add</span> <span class="pre">junior-dev</span> <span class="pre">project</span> <span class="pre">sandbox</span> <span class="pre">operator</span></code> grants members of <code class="docutils literal notranslate"><span class="pre">junior-dev</span></code> the <code class="docutils literal notranslate"><span class="pre">operator</span></code> entitlement on project <code class="docutils literal notranslate"><span class="pre">sandbox</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">auth</span> <span class="pre">group</span> <span class="pre">permission</span> <span class="pre">add</span> <span class="pre">my-group</span> <span class="pre">instance</span> <span class="pre">c1</span> <span class="pre">user</span> <span class="pre">project=default</span></code> grants members of <code class="docutils literal notranslate"><span class="pre">my-group</span></code> the <code class="docutils literal notranslate"><span class="pre">user</span></code> entitlement on instance <code class="docutils literal notranslate"><span class="pre">c1</span></code> in project <code class="docutils literal notranslate"><span class="pre">default</span></code>.</p></li>
</ul>
<p>Some entity types require more than one supplementary argument to uniquely specify the entity.
For example, entities of type <code class="docutils literal notranslate"><span class="pre">storage_volume</span></code> and <code class="docutils literal notranslate"><span class="pre">storage_bucket</span></code> require an additional <code class="docutils literal notranslate"><span class="pre">pool=&lt;storage_pool_name&gt;</span></code> argument.</p>
</section>
<section id="use-groups-defined-by-the-identity-provider">
<span id="identity-provider-groups"></span><h3>Use groups defined by the identity provider<a class="headerlink" href="#use-groups-defined-by-the-identity-provider" title="Link to this heading">¶</a></h3>
<p>It is common practice to manage users, roles, and groups centrally via an identity provider (IdP).
In LXD, identity provider groups allow groups that are defined by the IdP to be mapped to LXD groups.
When an OIDC client makes a request to LXD, any groups that can be extracted from the client’s identity token are mapped to LXD groups, giving the client the same effective permissions.</p>
<p>To configure IdP group mappings in LXD, first configure your IdP to add groups to identity and access tokens as a custom claim.
This configuration depends on your IdP.
In <a class="reference external" href="https://auth0.com/"><spellexception>Auth0</spellexception></a>, for example, you can add the “roles” that a user has as a custom claim via an <a class="reference external" href="https://community.auth0.com/t/how-to-add-roles-and-permissions-to-the-id-token-using-actions/84506">action</a>.
Alternatively, if <abbr title="role-based access control">RBAC</abbr> is enabled for the audience, a “permissions” claim can be added automatically.
In Keycloak, you can define a <a class="reference external" href="https://keycloak.discourse.group/t/anyway-to-include-user-groups-into-my-jwt-token/8715">mapper</a> to set Keycloak groups in the token.</p>
<p>Then configure LXD to extract this claim.
To do so, set the value of the <a class="configref reference internal" href="../../server/#server-oidc:oidc.groups.claim"><code class="docutils literal notranslate"><span class="pre">oidc.groups.claim</span></code></a> configuration key to the value of the field name of the custom claim:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc config set oidc.groups.claim=&lt;claim_name&gt;
</pre></div>
</div>
<p>LXD will then expect the identity and access tokens to contain a claim with this name.
The value of the claim must be a JSON array containing a string value for each IdP group name.
If the group names are extracted successfully, LXD will be aware of the IdP groups for the duration of the request.</p>
<p>Next, configure a mapping between an IdP group and a LXD group as follows:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc auth identity-provider-group create &lt;idp_group_name&gt;
lxc auth identity-provider-group group add &lt;idp_group_name&gt; &lt;lxd_group_name&gt;
</pre></div>
</div>
<p>IdP groups can be mapped to multiple LXD groups, and multiple IdP groups can be mapped to the same LXD group.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>LXD does not store the identity provider groups that are extracted from identity or access tokens.
This can obfuscate the true permissions of an identity.
For example, if an identity belongs to LXD group “foo”, an administrator can view the permissions of group “foo” to determine the level of access of the identity.
However, if identity provider group mappings are configured, direct group membership alone does not determine their level of access.
The command <code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">auth</span> <span class="pre">identity</span> <span class="pre">info</span></code> can be run by any identity to view a full list of their own effective groups and permissions as granted directly or indirectly via IdP groups.</p>
</div>
</section>
</section>
</section>

        </article>
      </div>
      <footer>
        
   

<div class="related-pages">
  
  
      
  
  
  <a class="next-page" href="../projects/">
        <div class="page-info">
          <div class="context">
            <span>Next</span>
          </div>
          <div class="title">Instances grouping with projects</div>
        </div>
        <svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
      </a>
    <a class="prev-page" href="../../authentication/">
        <svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
        <div class="page-info">
          <div class="context">
            <span>Previous</span>
          </div>
          
            <div class="title">Remote API authentication</div>
          
        </div>
      </a>
</div>
<div class="bottom-of-page">
  <div class="left-details">
    <div class="copyright">
        Copyright &#169; 2014-2025 LXD contributors
    </div>

    <div class="last-updated">
      Last updated on Aug 12, 2025</div>
    <div class="show-source">
      <a class="muted-link" href="../../_sources/explanation/authorization.md.txt"
         rel="nofollow">Show source</a>
    </div>
  </div>
  <div>
    
        
        
          
              <a class="display-contributors">Thanks to the 3 contributors!</a>
          
          <div id="overlay"></div>
          <ul class="all-contributors">
              
                  <li>
                      <a href="https://github.com/canonical/lxd/commit/3938a077a39eeb6c341bf8a0a472b0f5eb6c20ba" class="contributor">Mark Laing</a>
                  </li>
              
                  <li>
                      <a href="https://github.com/canonical/lxd/commit/04ab1ce602e06d802c0480f40fcb0cd8b75d7a3a" class="contributor">Minae Lee</a>
                  </li>
              
                  <li>
                      <a href="https://github.com/canonical/lxd/commit/494ebf8f1e4e2682e64a3b685256f7f8bbce688c" class="contributor">Ruth Fuchss</a>
                  </li>
              
          </ul>
        
    
  </div>
  <div class="right-details">

    

    
    <div class="ask-discourse">
      <a class="muted-link" href="https://discourse.ubuntu.com/c/lxd/">Ask a question on Discourse</a>
    </div>
    

    

    
    <div class="ask-matrix">
      <a class="muted-link" href="https://matrix.to/#/#documentation:ubuntu.com">Ask a question on Matrix</a>
    </div>
    

    

    
    <div class="issue-github">
      <a class="muted-link" href="https://github.com/canonical/lxd/issues/new?title=doc%3A+ADD+A+TITLE&body=DESCRIBE+THE+ISSUE%0A%0A---%0ADocument: explanation/authorization.md">Open a GitHub issue for this page</a>
    </div>
    

    <div class="edit-github">
      <a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/explanation/authorization.md">Edit this page on GitHub</a>
    </div>
    


    </div>
  </div>
</div>

      </footer>
    </div>
    <aside class="toc-drawer">
      
<div class="toc-sticky toc-scroll">
   
    <div class="toc-title-container">
      <span class="toc-title">
       Contents
      </span>
    </div>
    <div class="toc-tree-container">
      <div class="toc-tree">
        <ul>
<li><a class="reference internal" href="#">Remote API authorization</a><ul>
<li><a class="reference internal" href="#restricted-tls-certificates">Restricted TLS certificates</a></li>
<li><a class="reference internal" href="#fine-grained-authorization">Fine-grained authorization</a><ul>
<li><a class="reference internal" href="#explore-permissions">Explore permissions</a></li>
<li><a class="reference internal" href="#explore-identities">Explore identities</a></li>
<li><a class="reference internal" href="#manage-permissions">Manage permissions</a></li>
<li><a class="reference internal" href="#use-groups-defined-by-the-identity-provider">Use groups defined by the identity provider</a></li>
</ul>
</li>
</ul>
</li>
</ul>

      </div>
    </div>
   
    
    <div class="relatedlinks-title-container">
      <span class="relatedlinks-title">
       Related links
      </span>
    </div>
    <div class="relatedlinks-container">
      <div class="relatedlinks">
        
          <ul><li><a href="https://discourse.ubuntu.com/t/41516" target="_blank">Identity&#32;and&#32;Access&#32;Management&#32;for&#32;LXD</a></li></ul>
        
        
      </div>
    </div>
    
  </div>

    </aside>
  </div>
</div><script src="../../_static/jquery.js?v=5d32c60e"></script>
    <script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
    <script src="../../_static/documentation_options.js?v=187304be"></script>
    <script src="../../_static/doctools.js?v=9bcbadda"></script>
    <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
    <script src="../../_static/scripts/furo.js?v=46bd48cc"></script>
    <script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
    <script src="../../_static/copybutton.js?v=f281be69"></script>
    <script src="../../_static/config-options.js"></script>
    <script src="../../_static/design-tabs.js?v=f930bc37"></script>
    <script src="../../_static/header-nav.js?v=e117ad08"></script>
    <script src="../../_static/footer.js?v=5acea47a"></script>
    <script src="../../_static/github_issue_links.js?v=32bb732f"></script>
    <script src="../../_static/js/bundle.js?v=a4d88309"></script>
    
<script>
  const github_url = "https://github.com/canonical/lxd";
</script>
</body>
</html>