Skip to main content

Open Telekom Cloud (OTC) or BYO-TCloud (Bring Your Own TCloud Account)

Elestio supports Open Telekom Cloud (OTC) as a Bring Your Own Cloud (BYO-TCloud) provider. This allows you to deploy and manage services directly on your own OTC infrastructure while Elestio handles automation, provisioning, monitoring, and operations.

This guide explains how to prepare your OTC account and connect it to Elestio.

What You Will Need

Before starting, make sure you have the following credentials:

Credential Description Example
Access Key (AK) OTC IAM user access key JDIXXXXXXXXXXXXXXXXXXX
Secret Key (SK) OTC IAM user secret key wJalrXUtnFEMI...
Domain Name OTC account domain identifier OTC00000000001

Where to find Domain Name:
Log in to the OTC Console → click your account name (top-right) → open My Account / Account Info. The domain name is listed there and typically starts with OTC00.

Step 1: Create a Dedicated IAM User

We strongly recommend creating a dedicated IAM user for Elestio instead of using root credentials.

  1. Log in to the OTC Console
    https://console.otc.t-systems.com

  2. Go to IAM (Identity and Access Management)

  3. Open Users from the sidebar

  4. Click Create User

  5. Fill in:

    • Username: elestio-service (or any preferred name)

    • Access Type: Programmatic access

    • Password: Not required

  6. Click Next → Create

  7. Copy or download:

    • Access Key (AK)

    • Secret Key (SK)

⚠️ The Secret Key is shown only once. Store it securely.

Step 2: Assign Required IAM Permissions

Elestio requires permissions to provision and manage cloud infrastructure.

Go to:
IAM → User Groups → Create Group (or use existing group)
Then assign the following policies with scope:

Scope must be: All resources [Existing and future projects]

Required Policies / Scope

1. ECS Admin

Provides full control over Elastic Cloud Servers.

Used for:

  • Creating and deleting VMs

  • Managing server lifecycle

  • Keypair management for SSH access

2. ECS FullAccess

Extends ECS Admin with deeper instance operations.

Used for:

  • Reboot, power control, resizing

  • Instance state management APIs

3. EVS FullAccess

Provides full access to Elastic Volume Service (block storage).

Used for:

  • Creating and attaching root volumes

  • Managing snapshots and backups

  • Expanding and deleting storage volumes

4. VPC Administrator

Provides full network management permissions.

Used for:

  • VPC and subnet creation

  • Security group configuration

  • Elastic IP (EIP) management

  • Firewall rule automation

5. KMS CMKReadOnlyAccess

Read-only access to Key Management Service (KMS).

Used for:

  • Fetching evs/default encryption key

  • Encrypting root volumes at creation time

⚠️ Ensure the evs/default key exists in: OTC Console → DEW → Key Management Service

If missing, create a key with the alias: evs/default

6. DNS Administrator

Provides full control over DNS and reverse DNS (PTR) records.

Used for:

  • Automatic PTR record configuration

  • Email deliverability support

  • SSL validation compatibility

Step 3: Create or Retrieve Access Keys

If you didn’t save credentials during user creation:

  1. Go to IAM → Users

  2. Select your elestio-service user

  3. Open Security Credentials

  4. Click Create Access Key

  5. Copy:

    • Access Key (AK)

    • Secret Key (SK)

⚠️ Secret Key cannot be retrieved again after creation.

Step 4: Find Your OTC Domain Name

  1. Log in to OTC Console

  2. Click your account name (top-right)

  3. Open My Credentials / Account Info

  4. Copy the Domain Name

Example:

OTC00000000001
Step 5: Connect OTC to Elestio

  1. Log in to your Elestio dashboard https://dash.elest.io

  2. Select Service that you want to deploy.

  3. Go to Cloud Provider

  4. Select BYO-TCloud Open Telekom Cloud (OTC)

  5. Enter:

    • Access Key (AK)

    • Secret Key (SK)

    • Domain Name

  6. Click Verify & Save

image.png

Elestio will validate your credentials and permissions automatically.

Troubleshooting

Invalid credentials

  • Ensure no extra spaces in AK/SK

  • Verify Domain Name matches OTC console

  • Confirm IAM user is active

Missing permissions

  • Ensure all 6 policies are assigned

  • Check scope:
    All resources [Existing and future projects]

No OTC projects found

  • Ensure at least one region project is enabled (e.g., eu-de, eu-nl)

  • Contact OTC support if missing

Missing EVS/default key

  • Go to DEW → Key Management Service

  • Create key with alias: evs/default

Existing services inaccessible after update

  • Ensure IAM user has access to all regions

  • Verify region mapping for existing resources

Summary
Step Action
1 Create IAM user with programmatic access
2 Assign required IAM policies
3 Generate Access Key & Secret Key
4 Retrieve Domain Name
5 Connect in Elestio and verify

Once connected, Elestio will fully manage provisioning, scaling, backups, and lifecycle operations on your OTC infrastructure.

Back to top