Skip to content
Mengi Cloud Mengi Cloud Docs

Scaleway BYOC Setup

This guide walks you through connecting your own Scaleway account to Mengi Cloud as a BYOC (“Bring Your Own Cloud”) credential. When you use BYOC, Mengi provisions and manages a Kubernetes cluster (Scaleway Kapsule) inside your own Scaleway project, billed directly by Scaleway. Mengi only charges a management fee instead of the full infrastructure cost.

You will:

  1. Create a dedicated Project in the Scaleway console.
  2. Create an IAM Application (a non-human identity for Mengi).
  3. Attach a Policy that grants the application the permissions Mengi needs, scoped to that one project.
  4. Generate an API key (access key + secret key) for the application.
  5. Store the credential in Mengi Cloud and create a cluster.

The whole process is done in the Scaleway web console — no CLI required.

What Mengi creates in your account

When you provision a BYOC cluster, Mengi (via Pulumi) creates the following in your chosen project:

ResourceScaleway product
A Private NetworkVPC
A Kapsule managed Kubernetes clusterKubernetes
A node pool (with optional autoscaling)Kubernetes / Instances

The cluster’s nodes, load balancers and block volumes are created and billed in your project. You can delete everything at any time from the Mengi dashboard (which runs a clean pulumi destroy) or from the Scaleway console.

Required IAM permission sets

The API key Mengi uses needs the following permission sets, scoped to the single project you dedicate to Mengi:

Permission setWhy it’s needed
KubernetesFullAccessCreate and manage the Kapsule cluster and node pools
PrivateNetworksFullAccessCreate the Private Network that Kapsule requires
VPCFullAccessManage the VPC the Private Network lives in
InstancesFullAccessManage the worker-node Instances that back the pool
ObjectStorageFullAccessObject Storage used for cluster backups/artifacts

Least privilege: Because the policy is scoped to one project, this API key can only touch resources in the project you dedicate to Mengi — not the rest of your Scaleway organization. You do not need to grant any Organization-level (IAM/billing/project-management) permissions for BYOC; the project already exists, so Mengi never needs to create projects.

Prerequisites

  • A Scaleway account with a verified payment method (Kapsule clusters incur Scaleway charges in your account).
  • Permission in your Scaleway organization to create Projects, IAM Applications, Policies and API keys (Owner or an IAM administrator).

Part 1 — Scaleway console setup

1. Create a dedicated Project

A separate project keeps Mengi’s resources isolated and makes the API key easy to scope and revoke.

  1. Go to the Scaleway console.
  2. Open the Organization Projects tab and click Create Project.
  3. Name it e.g. mengi-byoc and (optionally) add a description such as “Project for connecting this Scaleway account to Mengi Cloud as a BYOC credential”.
  4. Click Create Project.
  5. Copy the Project ID (a UUID like 88336c3f-089a-431e-9d59-a60cb65efa3c) shown next to the project name — you’ll paste it into Mengi later.

2. Create an IAM Application

An Application is a non-human identity that the API key belongs to.

  1. Go to IAMApplicationsCreate application.
  2. Name it e.g. mengi-cloud-byoc, with a description like “Mengi Cloud BYOC provisioner”.
  3. Click Create application. (Leave the optional policy empty — you’ll create one in the next step.)

3. Create a Policy

The policy connects the application to the permission sets, scoped to your project.

  1. Go to IAMPoliciesCreate policy.

  2. Name it e.g. mengi-cloud-byoc-kapsule.

  3. Under Select a principal, choose Application and pick mengi-cloud-byoc.

  4. Click Add rules.

  5. For the rule Scope, choose Access to resources and select only your mengi-byoc project from the dropdown. Click Validate.

  6. Under Permission sets, select each of the five sets below (they live under different product categories in the left-hand list):

    CategoryPermission set
    ComputeInstancesFullAccess
    ContainersKubernetesFullAccess
    StorageObjectStorageFullAccess
    NetworkPrivateNetworksFullAccess
    NetworkVPCFullAccess

  7. Click Validate, then Create policy.

4. Generate an API key

  1. Go to IAMApplicationsmengi-cloud-byocAPI keys tab.
  2. Click Generate an API key.
  3. (Optional) Add a description like “Mengi Cloud BYOC API key”.
  4. Object Storage preferred Project: choose Yes, set up preferred Project and select your mengi-byoc project. (This makes Object Storage calls default to the right project.)
  5. Click Generate API key.
  6. Copy both values now — the Secret Key is shown only once:
    • Access Key ID (e.g. SCWB5WJK8V1XJXW1AKKZ)
    • Secret Key (a UUID, e.g. ef73c80b-…)

You now have the three values Mengi needs:

ValueWhere it came from
Access KeyAPI key — Access Key ID
Secret KeyAPI key — Secret Key (shown once)
Project IDThe mengi-byoc project’s ID (Step 1.5)

Part 2 — Store the credential in Mengi Cloud

  1. Sign in to the Mengi Cloud dashboard and open Cloud Credentials from the left-hand menu.
  2. Click Add Credential.
  3. Fill in the form:
    • Credential Name — any label, e.g. scaleway-byoc.
    • Cloud Provider — select Scaleway.
    • Access Key — paste your Access Key ID.
    • Secret Key — paste your Secret Key.
    • Project ID — paste your mengi-byoc Project ID (UUID).
  4. Click Add Credential.

The credential is stored encrypted and starts in Pending Validation. Mengi validates it against the Scaleway API; once the permissions check out, the status turns to Ready. If it shows Invalid, re-check that all five permission sets are attached and that the policy is scoped to the project whose ID you entered.

Part 3 — Create a BYOC cluster

  1. Start a new cluster/deployment in the Mengi dashboard.
  2. Choose Scaleway as the provider and select a region: fr-par (Paris), nl-ams (Amsterdam), or pl-waw (Warsaw).
  3. Enable Use my own cloud account (BYOC) and select the scaleway-byoc credential.
  4. Pick a tier (Testing or Production) and create the cluster.

Mengi provisions the Private Network, Kapsule control plane and node pool in your project. The cluster moves through pending → provisioning → running. Deleting it from Mengi tears the infrastructure back down in your account.

BYOC is not available on the Shared tier — shared clusters run on Mengi’s own infrastructure.

Rotating the API key

  1. In the Scaleway console, generate a new API key for the mengi-cloud-byoc application (Part 1, Step 4).
  2. In Mengi, edit the scaleway-byoc credential and paste the new Access Key and Secret Key, then re-validate.
  3. Once the new key is Ready, delete the old API key in the Scaleway console.

Revoking access

To cut Mengi off entirely, delete the API key (or the whole mengi-cloud-byoc application) in the Scaleway console. Delete any running BYOC clusters from the Mengi dashboard first so the infrastructure is cleaned up — once the key is gone, Mengi can no longer tear those resources down for you.

Security notes

  • The Secret Key is shown only once at creation — store it securely and never commit it to version control.
  • Keep the policy scoped to a single dedicated project so the key can never touch the rest of your Scaleway organization.
  • Mengi stores BYOC credentials encrypted (in OpenBao), not in plaintext.
  • Rotate the API key periodically.