Managing Hetzner Subuser Permissions: A Step‑by‑Step Guide

Uncategorized
By Azon Vault

How to Manage Hetzner Subuser Permissions Effectively

Running servers on Hetzner can be a breeze, but once you start sharing access with teammates or contractors, you need a clear way to control who can do what. That’s where subuser permissions come in. In this guide we’ll walk you through creating subusers, assigning the right roles, and keeping your infrastructure secure.

Why Use Subusers?

  • Least‑privilege access: Give each person only the permissions they need.
  • Auditability: Track actions by individual subusers in the Hetzner console.
  • Team flexibility: Onboard new developers or vendors quickly without sharing your master credentials.

Understanding Hetzner Permission Levels

Hetzner provides three main permission groups that you can mix and match for each subuser:

1. Project Permissions

  • Read‑only: View server details, IPs, and usage statistics.
  • Read‑write: Create, modify, or delete resources within the project.
  • Admin: Full control, including billing and API key management.

2. Server Actions

  • Power on / off
  • Reboot, rescue mode, and reset root password
  • Mount ISO images or snapshots

3. Network & Storage

  • Manage floating IPs, VLANs, and firewall rules.
  • Attach or detach volumes and backups.

Step‑by‑Step: Creating a Subuser

  1. Log into the Hetzner Console and select the project you want to work with.
  2. Navigate to "Access & Security" → "Subusers".
  3. Click "Add Subuser" and enter the email address of the new user.
  4. Choose a role (Read‑only, Read‑write, Admin) or custom‑select permissions.
    • For developers, a common combo is Read‑write project + Server Actions but no network changes.
    • For contractors, you might give Read‑only project + specific Server Actions like reboot only.
  5. Optionally set an expiration date if the access is temporary.
  6. Click "Create". Hetzner will send an invitation email with a one‑time link.

Best Practices for Secure Permissions

  • Start with the lowest level and add rights only when necessary.
  • Regularly review subuser lists and remove inactive accounts.
  • Enable Two‑Factor Authentication (2FA) for every subuser.
  • Use API tokens scoped to specific actions instead of sharing the root API key.
  • Log all activity: Hetzner’s audit log can be exported for compliance checks.

Common Scenarios

Deploying a New Application

Give the DevOps engineer Read‑write project + Server Actions. They can spin up a new server, install the app, and then hand it over to a reviewer with Read‑only rights.

Third‑Party Backup Provider

Assign Read‑only project plus Network & Storage permissions so the provider can mount snapshots but cannot alter firewall rules.

FAQ

Can a subuser manage billing?
Only the Admin role includes billing access. Keep this role limited to trusted personnel.
Do subusers share the same SSH keys?
No. Each subuser logs in with their own Hetzner account, so you should ask them to upload their own SSH public keys.
What happens if a subuser forgets their password?
They can reset it via the Hetzner login page. As an admin, you can also revoke the account and re‑invite them.
Is there a way to automate permission changes?
Yes—use Hetzner’s API to create, update, or delete subusers programmatically. Pair it with a CI/CD pipeline for temporary tokens.

Call to Action

Ready to tighten security on your Hetzner projects? Start by creating a subuser for yourself with limited rights, then gradually assign appropriate permissions to your team. Need help setting up automated API tokens? Contact our support team today!

Suggested Internal Links

  • How to Use Hetzner’s API for Server Automation
  • Best Practices for Managing Hetzner Backups

External Reference

For deeper technical details, refer to Hetzner’s official documentation on Subusers and API token scopes.

Azon Vault 5877 posts 0 comments
You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.