# Open Telekom Cloud (OTC) or BYO-TCloud (Bring Your Own TCloud Account)

Elestio supports **Open Telekom Cloud (OTC)** as a Bring Your Own Cloud (BYO-TCloud) provider. This allows you to deploy and manage services directly on your own OTC infrastructure while Elestio handles automation, provisioning, monitoring, and operations.

This guide explains how to prepare your OTC account and connect it to Elestio.

---

##### What You Will Need

Before starting, make sure you have the following credentials:

<table id="bkmrk-credential-descripti"><thead><tr><th class="align-center">Credential</th><th class="align-center">Description</th><th class="align-center">Example</th></tr></thead><tbody><tr><td class="align-center">Access Key (AK)</td><td class="align-center">OTC IAM user access key</td><td class="align-center">`JDIXXXXXXXXXXXXXXXXXXX`</td></tr><tr><td class="align-center">Secret Key (SK)</td><td class="align-center">OTC IAM user secret key</td><td class="align-center">`wJalrXUtnFEMI...`</td></tr><tr><td class="align-center">Domain Name</td><td class="align-center">OTC account domain identifier</td><td class="align-center">`OTC00000000001`</td></tr></tbody></table>

> **Where to find Domain Name:**  
> Log in to the OTC Console → click your account name (top-right) → open **My Account / Account Info**. The domain name is listed there and typically starts with `OTC00`.

---

##### Step 1: Create a Dedicated IAM User

We strongly recommend creating a dedicated IAM user for Elestio instead of using root credentials.

1. Log in to the OTC Console: **<span style="color: rgb(230, 126, 35);">[https://console.otc.t-systems.com](https://console.otc.t-systems.com/)</span>**
2. Go to **IAM (Identity and Access Management)**
3. Open **Users** from the sidebar
4. Click **Create User**
5. Fill in:
    
    
    - Username: `elestio-service` (or any preferred name)
    - Access Type: **Programmatic access**
    - Password: Not required
6. Click **Next → Create**
7. Copy or download:
    
    
    - Access Key (AK)
    - Secret Key (SK)

> ⚠️ The Secret Key is shown only once. Store it securely.

---

##### Step 2: Assign Required IAM Permissions

Elestio requires permissions to provision and manage cloud infrastructure.

Go to:  
**IAM → User Groups → Create Group (or use existing group)**  
Then assign the following policies with scope:

> **Scope must be: All resources \[Existing and future projects\]**

---

#### Required Policies / Scope

##### 1. ECS Admin

Provides full control over Elastic Cloud Servers.

Used for:

- Creating and deleting VMs
- Managing server lifecycle
- Keypair management for SSH access

---

##### 2. ECS FullAccess

Extends ECS Admin with deeper instance operations.

Used for:

- Reboot, power control, and resizing
- Instance state management APIs

---

##### 3. EVS FullAccess

Provides full access to Elastic Volume Service (block storage).

Used for:

- Creating and attaching root volumes
- Managing snapshots and backups
- Expanding and deleting storage volumes

---

##### 4. VPC Administrator

Provides full network management permissions.

Used for:

- VPC and subnet creation
- Security group configuration
- Elastic IP (EIP) management
- Firewall rule automation

---

##### 5. KMS CMKReadOnlyAccess

Read-only access to Key Management Service (KMS).

Used for:

- Fetching `evs/default` encryption key
- Encrypting root volumes at creation time

> ⚠️ Ensure the `evs/default` key exists in: OTC Console → DEW → Key Management Service

If missing, create a key with the alias: `evs/default`

---

##### 6. DNS Administrator

Provides full control over DNS and reverse DNS (PTR) records.

Used for:

- Automatic PTR record configuration
- Email deliverability support
- SSL validation compatibility

---

##### Step 3: Create or Retrieve Access Keys

If you didn’t save credentials during user creation:

1. Go to **IAM → Users**
2. Select your `elestio-service` user
3. Open **Security Credentials**
4. Click **Create Access Key**
5. Copy:
    
    
    - Access Key (AK)
    - Secret Key (SK)

> ⚠️ Secret Key cannot be retrieved again after creation.

---

##### Step 4: Find Your OTC Domain Name

1. Log in to OTC Console
2. Click your account name (top-right)
3. Open **My Credentials / Account Info**
4. Copy the **Domain Name**

Example:

```
OTC00000000001
```

---

##### Step 5: Connect OTC to Elestio

1. Log in to your Elestio dashboard **<span style="color: rgb(230, 126, 35);">[https://dash.elest.io](https://dash.elest.io)</span>**
2. Select the service that you want to deploy.
3. Go to **Cloud Provider**
4. Select **BYO-TCloud** **Open Telekom Cloud (OTC)**
5. Enter:
    
    
    - Access Key (AK)
    - Secret Key (SK)
    - Domain Name
6. Click **Verify Config**

[![image.png](https://docs.elest.io/uploads/images/gallery/2026-06/scaled-1680-/image.png)](https://docs.elest.io/uploads/images/gallery/2026-06/image.png)

Elestio will validate your credentials and permissions automatically.

---

#### Troubleshooting

Invalid credentials

- Ensure no extra spaces in AK/SK
- Verify Domain Name matches OTC console
- Confirm IAM user is active

---

Missing permissions

- Ensure all 6 policies are assigned
- Check scope:  
    **All resources \[Existing and future projects\]**

---

No OTC projects found

- Ensure at least one region project is enabled (e.g., eu-de and eu-nl)
- Contact OTC support if missing

---

Missing EVS/default key

- Go to DEW → Key Management Service
- Create a key with alias: `evs/default`

---

Existing services are inaccessible after the update

- Ensure IAM user has access to all regions
- Verify region mapping for existing resources

---

##### Summary

<table id="bkmrk-step-action-1-create" style="width: 45.9524%; height: 177.357px;"><thead><tr style="height: 29.5595px;"><th class="align-center" style="width: 13.8365%; height: 29.5595px;">Step</th><th class="align-center" style="width: 86.0939%; height: 29.5595px;">Action</th></tr></thead><tbody><tr style="height: 29.5595px;"><td class="align-center" style="width: 13.8365%; height: 29.5595px;">1</td><td class="align-center" style="width: 86.0939%; height: 29.5595px;">Create an IAM user with programmatic access</td></tr><tr style="height: 29.5595px;"><td class="align-center" style="width: 13.8365%; height: 29.5595px;">2</td><td class="align-center" style="width: 86.0939%; height: 29.5595px;">Assign required IAM policies</td></tr><tr style="height: 29.5595px;"><td class="align-center" style="width: 13.8365%; height: 29.5595px;">3</td><td class="align-center" style="width: 86.0939%; height: 29.5595px;">Generate Access Key &amp; Secret Key</td></tr><tr style="height: 29.5595px;"><td class="align-center" style="width: 13.8365%; height: 29.5595px;">4</td><td class="align-center" style="width: 86.0939%; height: 29.5595px;">Retrieve Domain Name</td></tr><tr style="height: 29.5595px;"><td class="align-center" style="width: 13.8365%; height: 29.5595px;">5</td><td class="align-center" style="width: 86.0939%; height: 29.5595px;">Connect in Elestio and verify</td></tr></tbody></table>

---

Once connected, Elestio will fully manage provisioning, scaling, backups, and lifecycle operations on your OTC infrastructure.