---
title: "IAM for Logs Data Platform - Presentation and FAQ"
description: "A presentation on how IAM works with Logs Data Platform"
url: https://docs.ovhcloud.com/pl/guides/manage-and-operate/observability/logs-data-platform/iam-presentation-faq
lang: pl
lastUpdated: 2025-10-16
---
# IAM for Logs Data Platform - Presentation and FAQ
:::info
IAM for Logs Data Platform will be available starting **17th September 2025**.
The content of this documentation will be valid from this date.
:::
## Objective
This guide explains the integration of Logs Data Platform with OVHcloud IAM.
## Requirements
- An [OVHcloud account](/pl/guides/account-and-service-management/account-information/ovhcloud-account-creation.md)
- Access to the OVHcloud Control Panel
- A [Logs Data Platform service](https://www.ovhcloud.com/en-gb/identity-security-operations/logs-data-platform/)
## Instructions
### How is IAM useful for Logs Data Platform?
Enabling OVHcloud IAM on Logs Data Platform delegates authentication, access management, and permissions to OVHcloud IAM. There are several benefits to using IAM:
- [All OVHcloud identities](/pl/guides/manage-and-operate/iam/identities-management.md) can connect using their credentials to all Web UIs (Graylog/OpenSearch Dashboards). The connected account will be the identity chosen for UI access. **You will no longer need the Logs Data Platform username**. IAM enables also the use of [two-factor authentication methods](/pl/guides/account-and-service-management/account-information/secure-ovhcloud-account-with-2fa.md) and [Federation Services](/pl/guides/account-and-service-management/account-information/ovhcloud-account-connect-saml-adfs.md).
- API tokens can be both [service account tokens](/pl/guides/account-and-service-management/account-information/authenticate-api-with-service-account.md) and Personal Access Tokens handled directly with OVHcloud IAM APIs.
- [Resource groups](/pl/guides/account-and-service-management/account-information/iam-policies-api.md) allow you to share Logs Data Platform sub resources in a more cohesive way.
- [IAM Policies](/pl/guides/account-and-service-management/account-information/iam-policy-ui.md) unlock advanced use cases which are not possible with permissions, thanks to fine-grained actions.
### How to enable OVHcloud IAM for my existing account in Logs Data Platform?
If you have an existing service, follow these steps:
- Replace all your **Roles** and permissions with [appropriate policies](/pl/guides/manage-and-operate/observability/logs-data-platform/getting-started-roles-permission.md).
- Ensure you have no **Roles** declared in your service.
- Ensure your service is not in any **Roles**.
- Ensure you don't have any [tokens](/pl/guides/manage-and-operate/observability/logs-data-platform/tokens.md).
- Use the dedicated Enable OVHcloud IAM in the **Roles** sections of the Logs Data Platform Control Panel.
Once IAM is activated, a new **IAM Policies** section will replace the previous **Roles** section.
### How to enable OVHcloud IAM on a new service?
When a new service is created, you can directly opt-in into using IAM directly and use [IAM policies](/pl/guides/account-and-service-management/account-information/iam-policy-ui.md) to handle access rights.
Once IAM has been activated, you can freely use any [OVHcloud identities](/pl/guides/manage-and-operate/iam/identities-management.md) to interact with Logs Data Platform.
### How to connect to Graylog with IAM?
When connecting to Graylog, you can choose between the legacy username/password system (for services without IAM activated) or any OVHcloud IAM providers (EU, CA, or US). Clicking the corresponding _Log in_ button redirects you to the appropriate OVHcloud IAM provider to complete authentication.
| | | |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 
| 
| 
|
### How to connect to OpenSearch Dashboards with IAM?
When connecting to OpenSearch Dashboards, select the provider linked to your OVHcloud service. The _Log in with OVHcloud IAM_ button redirects you to your provider to complete authentication.
Once completed, you will be redirected back to the OpenSearch Dashboard instance fully authenticated.
### How to connect to Grafana with IAM?
- If your Identity Provider is the OVHcloud IAM, you can select the option **Forward OAuth identity** to forward the identity connected to the Logs Data Platform.
- If you use another authentication provider, you can forge an _Authorization_ header with an IAM compatible token. See the next section to see how to generate that kind of token. The content of the header must be `Bearer: `. Replace `` with the value of your token.
### How to interact with Logs Data Platform backends API?
With IAM enabled, [tokens](/pl/guides/manage-and-operate/observability/logs-data-platform/tokens.md) are replaced by API keys (Bearer authentication scheme). These keys can be tokens from [service accounts](/pl/guides/account-and-service-management/account-information/authenticate-api-with-service-account.md) or Personal Access Tokens. Use the OVHcloud API to generate these tokens.
🇪🇺EU▾
[POST/me/identity/user/{user}/token](https://eu.api.ovh.com/console/?section=/me&branch=v1#post-/me/identity/user/-user-/token)
For example if you are on gra1 cluster, curl can use these tokens in the following way:
```bash
ldp@laptop curl -H 'content-type: application/json' --oauth2-bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -XGET 'https://gra1.logs.ovh.com:9200/_cluster/health?pretty'
```
### How to create indices or aliases on Logs Data Platform backend APIs?
First, ensure the identity you want to use has permission to create indices and aliases for the service. If authorized, Personal Access Tokens or service account OAuth2 clients can perform creation/deletion operations.
:::warning
The previous prefix for indices and aliases was the username. Now the prefix is the **service name**. You will find the service name on the homepage of the Logs Data Platform control panel. It is also the suffix of a Logs Data Platform service URN. For example:
urn:v1:eu:resource:ldp:**ldp-ab-56945**
:::
The service is tied to a unique Logs Data Platform so you will be allowed to create items only on this cluster. For example if ldp-ab-56945 is on gra1:
```bash
ldp@laptop curl -k -v -H 'content-type: application/json' --oauth2-bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -XPOST 'https://gra1.logs.ovh.com:9200/ldp-ab-56945-i-my-new-index/_doc' -d '{ "user" : "ldp" }'
```
Similarly aliases created through OpenSearch APIs must be prefixed by one of your allowed services.
## Go further
- [Introduction to Logs Data Platform](/pl/guides/manage-and-operate/observability/logs-data-platform/introduction.md)
- [IAM for Logs Data Platform - Presentation and FAQ](/pl/guides/manage-and-operate/observability/logs-data-platform/overview.md)
- [Our documentation](/pl/guides/manage-and-operate/observability/logs-data-platform/overview.md)
- Join our [community of users](https://community.ovhcloud.com/community/en)
- Create an account: [Try it!](https://www.ovhcloud.com/en-gb/identity-security-operations/logs-data-platform/)