IAM Identity Services | IBM Cloud API Docs

Introduction

Last updated: 2023-03-02

The IAM Identity Service API is used to manage service IDs and API key identities and to create IAM access tokens for a user or service ID.

SDKs for Java, Node, Python, and Go are available to make it easier to programmatically access the API from your code. The client libraries that are provided by the SDKs implement best practices for using the API and reduce the amount of code that you need to write. The tab for each language includes code examples that demonstrate how to use the client libraries. For more information about using the SDKs, see the IBM Cloud SDK Common project on GitHub.

The examples that are provided on this page demonstrate how to use IAM Identity Service For more information and detailed examples, check out the IBM Cloud SDK Common project on GitHub.

Installing the Java SDK

Maven

<dependency>
	<groupId>com.ibm.cloud</groupId>
	<artifactId>iam-identity</artifactId>
	<version>{version}</version>
</dependency>

Gradle

compile 'com.ibm.cloud:iam-identity:{version}'

Replace {version} in these examples with the release version.

View on GitHub

https://github.com/IBM/platform-services-java-sdk

Installing the Go SDK

Go modules (recommended): Add the following import in your code, and then run go build or go mod tidy

import (
	"github.com/IBM/platform-services-go-sdk/iamidentityv1"
)

go get -u github.com/IBM/platform-services-go-sdk/iamidentityv1

View on GitHub

https://github.com/IBM/platform-services-go-sdk

Installing the Node SDK

npm install @ibm-cloud/platform-services

View on GitHub

https://github.com/IBM/platform-services-node-sdk

Installing the Python SDK

pip install --upgrade "ibm-platform-services"

View on GitHub

https://github.com/IBM/platform-services-python-sdk

Endpoint URLs

The IAM Identity Services API uses the following public global endpoint URL. When you call the API, add the path for each method to form the complete API endpoint for your requests.

https://iam.cloud.ibm.com

Virtual private cloud (VPC) based access requires a virtual private endpoint gateway (VPE gateway). For more information , see Creating an endpoint gateway.

Private endpoint URL for VPC infrastructure: https://private.iam.cloud.ibm.com. VPE gateway creation is supported in following datacenters:
- Dallas
- Washington
- Frankfurt

If you enabled service endpoints in your account, you can send API requests over the IBM Cloud® private network at the following base endpoint URLs. For more information, see Enabling VRF and service endpoints.

Private endpoint URLs for classic infrastructure. Supported datacenters and urls:
- Dallas: https://private.us-south.iam.cloud.ibm.com
- Washington DC: https://private.us-east.iam.cloud.ibm.com
- Frankfurt DC: https://private.eu-de.iam.cloud.ibm.com

Example API request

curl -u "apikey:{apikey}" -X {request_method} "https://iam.cloud.ibm.com/{method_endpoint}"

Replace {apikey}, {request_method}, and {method_endpoint} in this example with the values for your particular API call.

Authentication

Authorization to the Identity Services REST API is enforced by using an IBM Cloud Identity and Access Management (IAM) access token. The token is used to determine the actions that a user or service ID has access to when they use the API.

You can generate an access token by first creating an API key and then exchanging your API key for an IBM Cloud IAM token.

Don't have an API key? Try running ibmcloud oauth-tokens in the IBM Cloud Shell to quickly generate a personal access token.

When you use the SDK, configure an IAM authenticator with the IAM API key. The authenticator automatically obtains the IAM access token for the API key and includes it with each request. You can construct an authenticator in either of two ways:

Programmatically by constructing an IAM authenticator instance and supplying your IAM API key
By defining the API key in external configuration properties and then using the SDK authenticator factory to construct an IAM authenticator that uses the configured IAM API key

In this example of using external configuration properties, an IAM authenticator instance is created with the configured API key, and then the service client is constructed with this authenticator instance and the configured service URL.

For more information, see the Authentication section of the IBM Cloud SDK Common documentation.

To call each method, you'll need to be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see IAM Identity service.

You authenticate to the API by using Cloud Identity and Access Management (IAM). You can pass either a bearer token in an authorization header or an API key.

The SDK provides initialization methods for each form of authentication.

Use the API key to have the SDK manage the lifecycle of the access token. The SDK requests an access token, ensures that the access token is valid, includes the access token in each outgoing request, and refreshes it when it expires.
Use the access token to manage the lifecycle yourself. Keep in mind that access tokens are valid for 1 hour, so you must refresh them regularly to maintain access.

For more information, see IAM authentication with the SDK.

To retrieve your access token:

curl -X POST   "https://iam.cloud.ibm.com/identity/token"   --header 'Content-Type: application/x-www-form-urlencoded'   --header 'Accept: application/json'   --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey'   --data-urlencode 'apikey=<API_KEY>'

Replace <API_KEY> with your IAM API key.

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_IDENTITY_URL=<SERVICE_URL>
export IAM_IDENTITY_AUTHTYPE=iam
export IAM_IDENTITY_APIKEY=<API_KEY>

Example of constructing the service client

import {
    "github.com/IBM/platform-services-go-sdk/iamidentityv1"
}
...
serviceClientOptions := &iamidentityv1.IamIdentityV1Options{}
serviceClient, err := iamidentityv1.NewIamIdentityV1UsingExternalConfig(serviceClientOptions)

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_IDENTITY_URL=<SERVICE_URL>
export IAM_IDENTITY_AUTHTYPE=iam
export IAM_IDENTITY_APIKEY=<API_KEY>

Example of constructing the service client

import com.ibm.cloud.platform_services.iam_identity.v1.IamIdentity;
...
IamIdentity serviceClient = IamIdentity.newInstance();

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_IDENTITY_URL=<SERVICE_URL>
export IAM_IDENTITY_AUTHTYPE=iam
export IAM_IDENTITY_APIKEY=<API_KEY>

Example of constructing the service client

const IamIdentityV1 = require('@ibm-cloud/platform-services/iam-identity/v1');
...
const serviceClient = IamIdentityV1.newInstance({});

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_IDENTITY_URL=<SERVICE_URL>
export IAM_IDENTITY_AUTHTYPE=iam
export IAM_IDENTITY_APIKEY=<API_KEY>

Example of constructing the service client

from ibm_platform_services import IamIdentityV1
...
service_client = IamIdentityV1.new_instance()

Auditing

You can monitor API activity within your account by using the IBM Cloud® Activity Tracker service. You can track when specific API methods are called by reviewing generated events in Activity Tracker.

If an event is tracked for a method, you can find it listed with the method. For more information about how to track IAM activity, see Auditing events for IAM.

Error handling

The IAM Token Service uses standard HTTP response codes to indicate whether a method completed successfully. A 200 response always indicates success. A 400 type response indicates that a parameter validation failed and can occur if required parameters are missing or if any parameter values are invalid. A 401 or 403 response indicates that the incoming request did not contain valid authentication information. A 500 type response indicates an internal server error that is seen in an unexpected error situation.

The Identity Services REST APIs return standard HTTP status codes to indicate the success or failure of a request. The format of the response is represented in JSON as follows:

{
    "trace": "9daee671-916a-4678-850b-10b911f0236d",
    "errors": [
        {
            "code": "invalid_access_token",
            "message": "The provided access token provided is invalid."
        }
    ]
    "status_code": 401
}

If an operation cannot be fulfilled, an appropriate 400 or 500 series HTTP response is returned from the server. The operations that are defined in the Reference section describe example errors that might be returned from a failed request. All responses from the Identity Services REST API are in JSON format.

The following table show the potential error codes the API might return.

HTTP Error Code	Description	Recovery
`200`	Success	The request was successful.
`201`	Created	The resource was successfully created.
`204`	No Content	The request was successful. No response body is provided.
`400`	Bad Request	The input parameters in the request body are either incomplete or in the wrong format. Be sure to include all required parameters in your request.
`401`	Unauthorized	You are not authorized to make this request. The token is either missing or expired. Get a new valid token and try again.
`403`	Forbidden	The supplied authentication is not authorized to perform the operation. If this error persists, contact the account owner to check your permissions.
`404`	Not Found	The requested resource can't be found.
`409`	Conflict	The entity is already in the requested state.
`429`	Too Many Requests	Too many requests have been made within a time window. Wait before calling the API again.
`500`	Internal error	Error that is seen in an unexpected error situation.

Additional headers

Some additional headers might be required to make successful requests to the API. Those additional headers are:

An optional transaction ID can be passed to your request, which can be useful for tracking calls through multiple services using one identifier. The header key must be set to Transaction-Id and the value is anything that you choose.

If there is not a transaction ID that is passed in, then one is generated randomly.

Returns the list of API key details for a given service or user IAM ID and account ID. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to. In case of service IDs and their API keys, a user must be either an account owner, a IBM Cloud org manager or IBM Cloud space developer in order to manage service IDs of the entity.

GET /v1/apikeys

(iamIdentity *IamIdentityV1) ListAPIKeys(listAPIKeysOptions *ListAPIKeysOptions) (result *APIKeyList, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) ListAPIKeysWithContext(ctx context.Context, listAPIKeysOptions *ListAPIKeysOptions) (result *APIKeyList, response *core.DetailedResponse, err error)

ServiceCall<ApiKeyList> listApiKeys(ListApiKeysOptions listApiKeysOptions)

listApiKeys(params)

list_api_keys(self,
        *,
        account_id: str = None,
        iam_id: str = None,
        pagesize: int = None,
        pagetoken: str = None,
        scope: str = None,
        type: str = None,
        sort: str = None,
        order: str = None,
        include_history: bool = None,
        **kwargs
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following actions. You can check your access by going to Users > User > Access.

iam-identity.apikey.list
iam-identity.apikey.manage (if scope='account')

Request

Instantiate the ListAPIKeysOptions struct and set the fields to provide parameter values for the ListAPIKeys method.

Use the ListApiKeysOptions.Builder to create a ListApiKeysOptions object that contains the parameter values for the listApiKeys method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Query Parameters

account_id
string
Account ID of the API keys(s) to query. If a service IAM ID is specified in iam_id then account_id must match the account of the IAM ID. If a user IAM ID is specified in iam_id then then account_id must match the account of the Authorization token.
iam_id
string
IAM ID of the API key(s) to be queried. The IAM ID may be that of a user or a service. For a user IAM ID iam_id must match the Authorization token.
pagesize
integer
Optional size of a single page. Default is 20 items per page. Valid range is 1 to 100.
pagetoken
string
Optional Prev or Next page token returned from a previous query execution. Default is start with first page.
scope
string
Optional parameter to define the scope of the queried API Keys. Can be 'entity' (default) or 'account'.

Allowable values: [entity,account]
Default: entity
type
string
Optional parameter to filter the type of the queried API Keys. Can be 'user' or 'serviceid'.

Allowable values: [user,serviceid]
sort
string
Optional sort property, valid values are name, description, created_at and created_by. If specified, the items are sorted by the value of this property.
order
string
Optional sort order, valid values are asc and desc. Default: asc.

Allowable values: [asc,desc]
Default: asc
include_history
boolean
Defines if the entity history is included in the response.

Default: false

parameter

WithContext method only

ListApiKeysOptions

The ListAPIKeys options.

ListApiKeysOptions

The listApiKeys options.

parameters

accountId
string
Account ID of the API keys(s) to query. If a service IAM ID is specified in iam_id then account_id must match the account of the IAM ID. If a user IAM ID is specified in iam_id then then account_id must match the account of the Authorization token.
iamId
string
IAM ID of the API key(s) to be queried. The IAM ID may be that of a user or a service. For a user IAM ID iam_id must match the Authorization token.
pagesize
number
Optional size of a single page. Default is 20 items per page. Valid range is 1 to 100.
pagetoken
string
Optional Prev or Next page token returned from a previous query execution. Default is start with first page.
scope
string
Optional parameter to define the scope of the queried API Keys. Can be 'entity' (default) or 'account'.

Allowable values: [entity,account]
Default: entity
type
string
Optional parameter to filter the type of the queried API Keys. Can be 'user' or 'serviceid'.

Allowable values: [user,serviceid]
sort
string
Optional sort property, valid values are name, description, created_at and created_by. If specified, the items are sorted by the value of this property.
order
string
Optional sort order, valid values are asc and desc. Default: asc.

Allowable values: [asc,desc]
Default: asc
includeHistory
boolean
Defines if the entity history is included in the response.

Default: false

parameters

account_id
str
Account ID of the API keys(s) to query. If a service IAM ID is specified in iam_id then account_id must match the account of the IAM ID. If a user IAM ID is specified in iam_id then then account_id must match the account of the Authorization token.
iam_id
str
IAM ID of the API key(s) to be queried. The IAM ID may be that of a user or a service. For a user IAM ID iam_id must match the Authorization token.
pagesize
int
Optional size of a single page. Default is 20 items per page. Valid range is 1 to 100.
pagetoken
str
Optional Prev or Next page token returned from a previous query execution. Default is start with first page.
scope
str
Optional parameter to define the scope of the queried API Keys. Can be 'entity' (default) or 'account'.

Allowable values: [entity,account]
Default: entity
type
str
Optional parameter to filter the type of the queried API Keys. Can be 'user' or 'serviceid'.

Allowable values: [user,serviceid]
sort
str
Optional sort property, valid values are name, description, created_at and created_by. If specified, the items are sorted by the value of this property.
order
str
Optional sort order, valid values are asc and desc. Default: asc.

Allowable values: [asc,desc]
Default: asc
include_history
bool
Defines if the entity history is included in the response.

Default: false

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/apikeys?account_id=ACCOUNT_ID&iam_id=IBMid-123WEREW' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

Example request

listAPIKeysOptions := iamIdentityService.NewListAPIKeysOptions()
listAPIKeysOptions.SetAccountID(accountID)
listAPIKeysOptions.SetIamID(iamID)
listAPIKeysOptions.SetIncludeHistory(true)

apiKeyList, response, err := iamIdentityService.ListAPIKeys(listAPIKeysOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(apiKeyList, "", "  ")
fmt.Println(string(b))

Example request

ListApiKeysOptions listApiKeysOptions = new ListApiKeysOptions.Builder()
    .accountId(accountId)
    .iamId(iamId)
    .includeHistory(true)
    .build();

Response<ApiKeyList> response = service.listApiKeys(listApiKeysOptions).execute();
ApiKeyList apiKeyList = response.getResult();

System.out.println(apiKeyList);

Example request

const params = {
  accountId: accountId,
  iamId: iamId,
  includeHistory: true,
};

try {
  const res = await iamIdentityService.listApiKeys(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

Example request

api_key_list = iam_identity_service.list_api_keys(
  account_id=account_id, iam_id=iam_id, include_history=True
).get_result()

print(json.dumps(api_key_list, indent=2))

Response

Response Body

ApiKeyList

Response body format for the List API keys V1 REST request.

ApiKeyList

Response body format for the List API keys V1 REST request.

ApiKeyList

Response body format for the List API keys V1 REST request.

ApiKeyList

Response body format for the List API keys V1 REST request.

ApiKeyList

Response body format for the List API keys V1 REST request.

Status Code

200
Successful operation.
400
Parameter validation failed.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
User iam_id or account_id does not match Authorization token, service ID of the IAM ID not found.
500
Internal Server error.

Example responses

Status 200

{
  "limit": 1,
  "first": {
    "href": "https://iam.cloud.ibm.com/v1/apikeys?pagetoken=PageToken"
  },
  "next": {
    "href": "https://iam.cloud.ibm.com/v1/apikeys?pagetoken=PageToken"
  },
  "apikeys": {
    "id": "ApiKey-fffc06c0-f3fd-49e5-82b5-b9dec9a3c47c",
    "entity_tag": "3-5c26819c7a9df67ac5d51c5761e1ac8a",
    "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-fffc06c0-f3fd-49e5-82b5-b9dec9a3c47c",
    "locked": false,
    "created_at": "2020-09-28T17:49+0000",
    "created_by": "IBMid-110000AB1Z",
    "modified_at": "2020-09-28T17:49+0000",
    "name": "apikeyNew",
    "description": "test",
    "iam_id": "IBMid-110000AB1Z",
    "account_id": "100abcde100a41abc100aza678abc0zz"
  }
}

Success example

{
  "limit": 1,
  "first": {
    "href": "https://iam.cloud.ibm.com/v1/apikeys?pagetoken=PageToken"
  },
  "next": {
    "href": "https://iam.cloud.ibm.com/v1/apikeys?pagetoken=PageToken"
  },
  "apikeys": {
    "id": "ApiKey-fffc06c0-f3fd-49e5-82b5-b9dec9a3c47c",
    "entity_tag": "3-5c26819c7a9df67ac5d51c5761e1ac8a",
    "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-fffc06c0-f3fd-49e5-82b5-b9dec9a3c47c",
    "locked": false,
    "created_at": "2020-09-28T17:49+0000",
    "created_by": "IBMid-110000AB1Z",
    "modified_at": "2020-09-28T17:49+0000",
    "name": "apikeyNew",
    "description": "test",
    "iam_id": "IBMid-110000AB1Z",
    "account_id": "100abcde100a41abc100aza678abc0zz"
  }
}

Creates an API key for a UserID or service ID. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to.

POST /v1/apikeys

(iamIdentity *IamIdentityV1) CreateAPIKey(createAPIKeyOptions *CreateAPIKeyOptions) (result *APIKey, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) CreateAPIKeyWithContext(ctx context.Context, createAPIKeyOptions *CreateAPIKeyOptions) (result *APIKey, response *core.DetailedResponse, err error)

ServiceCall<ApiKey> createApiKey(CreateApiKeyOptions createApiKeyOptions)

createApiKey(params)

create_api_key(self,
        name: str,
        iam_id: str,
        *,
        description: str = None,
        account_id: str = None,
        apikey: str = None,
        store_value: bool = None,
        entity_lock: str = None,
        **kwargs
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-identity.apikey.create

Auditing

Calling this method generates the following auditing events.

Depending on the type of API key that you create, one of the following events is generated.

iam-identity.user-apikey.create
iam-identity.serviceid-apikey.create

Request

Instantiate the CreateAPIKeyOptions struct and set the fields to provide parameter values for the CreateAPIKey method.

Use the CreateApiKeyOptions.Builder to create a CreateApiKeyOptions object that contains the parameter values for the createApiKey method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.
Entity-Lock
string
Indicates if the API key is locked for further write operations. False by default.

Default: false

Request Body

Required*

CreateApiKeyRequest

Request to create an API key.

parameter

WithContext method only

CreateApiKeyOptions

The CreateAPIKey options.

CreateApiKeyOptions

The createApiKey options.

parameters

name
Required*
string
Name of the API key. The name is not checked for uniqueness. Therefore multiple names with the same value can exist. Access is done via the UUID of the API key.
iamId
Required*
string
The iam_id that this API key authenticates.
description
string
The optional description of the API key. The 'description' property is only available if a description was provided during a create of an API key.
accountId
string
The account ID of the API key.
apikey
string
You can optionally passthrough the API key value for this API key. If passed, NO validation of that apiKey value is done, i.e. the value can be non-URL safe. If omitted, the API key management will create an URL safe opaque API key value. The value of the API key is checked for uniqueness. Please ensure enough variations when passing in this value.
storeValue
boolean
Send true or false to set whether the API key value is retrievable in the future by using the Get details of an API key request. If you create an API key for a user, you must specify false or omit the value. We don't allow storing of API keys for users.
entityLock
string
Indicates if the API key is locked for further write operations. False by default.

Default: false

parameters

name
Required*
str
Name of the API key. The name is not checked for uniqueness. Therefore multiple names with the same value can exist. Access is done via the UUID of the API key.
iam_id
Required*
str
The iam_id that this API key authenticates.
description
str
The optional description of the API key. The 'description' property is only available if a description was provided during a create of an API key.
account_id
str
The account ID of the API key.
apikey
str
You can optionally passthrough the API key value for this API key. If passed, NO validation of that apiKey value is done, i.e. the value can be non-URL safe. If omitted, the API key management will create an URL safe opaque API key value. The value of the API key is checked for uniqueness. Please ensure enough variations when passing in this value.
store_value
bool
Send true or false to set whether the API key value is retrievable in the future by using the Get details of an API key request. If you create an API key for a user, you must specify false or omit the value. We don't allow storing of API keys for users.
entity_lock
str
Indicates if the API key is locked for further write operations. False by default.

Default: false

Example request

curl -X POST 'https://iam.cloud.ibm.com/v1/apikeys' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json' -d '{
  "name": "My-apikey",
  "description": "my personal key",
  "iam_id": "IBMid-123WEREW",
  "account_id": "ACCOUNT_ID"
  "store_value": false
}'

Example request

createAPIKeyOptions := iamIdentityService.NewCreateAPIKeyOptions(apikeyName, iamID)
createAPIKeyOptions.SetDescription("Example ApiKey")

apiKey, response, err := iamIdentityService.CreateAPIKey(createAPIKeyOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(apiKey, "", "  ")
fmt.Println(string(b))
apikeyID = *apiKey.ID

Example request

CreateApiKeyOptions createApiKeyOptions = new CreateApiKeyOptions.Builder()
    .name(apiKeyName)
    .iamId(iamId)
    .description("Example ApiKey")
    .build();

Response<ApiKey> response = service.createApiKey(createApiKeyOptions).execute();
ApiKey apiKey = response.getResult();
apikeyId = apiKey.getId();

System.out.println(apiKey);

Example request

const params = {
  name: apikeyName,
  iamId: iamId,
  description: 'Example ApiKey',
};

try {
  const res = await iamIdentityService.createApiKey(params);
  apikeyId = res.result.id
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

Example request

api_key = iam_identity_service.create_api_key(name=apikey_name, iam_id=iam_id).get_result()

apikey_id = api_key['id']

print(json.dumps(api_key, indent=2))

Response

Response Body

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

Status Code

201
API key successfully created. Response if the Object could be created in the persistence layer.
400
Parameter validation failed. Response if required parameters are missing or if parameter values are invalid.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
409
Create Conflict - API key could not be created. Response if the Object could not be created in the persistence layer.
500
Internal Server error. Response if unexpected error situation. happened.

Example responses

Status 201

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "1-b4053b5d441613fdad4ff3c28db3e7cc",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T12:28+0000",
  "name": "apikey-test",
  "description": "apikey-test",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz",
  "apikey": "created_apikey"
}

Success example

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "1-b4053b5d441613fdad4ff3c28db3e7cc",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T12:28+0000",
  "name": "apikey-test",
  "description": "apikey-test",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz",
  "apikey": "created_apikey"
}

Returns the details of an API key by its value. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to.

GET /v1/apikeys/details

(iamIdentity *IamIdentityV1) GetAPIKeysDetails(getAPIKeysDetailsOptions *GetAPIKeysDetailsOptions) (result *APIKey, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) GetAPIKeysDetailsWithContext(ctx context.Context, getAPIKeysDetailsOptions *GetAPIKeysDetailsOptions) (result *APIKey, response *core.DetailedResponse, err error)

ServiceCall<ApiKey> getApiKeysDetails(GetApiKeysDetailsOptions getApiKeysDetailsOptions)

getApiKeysDetails(params)

get_api_keys_details(self,
        *,
        iam_api_key: str = None,
        include_history: bool = None,
        **kwargs
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-identity.apikey.get

Request

Instantiate the GetAPIKeysDetailsOptions struct and set the fields to provide parameter values for the GetAPIKeysDetails method.

Use the GetApiKeysDetailsOptions.Builder to create a GetApiKeysDetailsOptions object that contains the parameter values for the getApiKeysDetails method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.
IAM-ApiKey
string
API key value.

Query Parameters

include_history
boolean
Defines if the entity history is included in the response.

Default: false

parameter

WithContext method only

GetApiKeysDetailsOptions

The GetAPIKeysDetails options.

GetApiKeysDetailsOptions

The getApiKeysDetails options.

parameters

iamApiKey
string
API key value.
includeHistory
boolean
Defines if the entity history is included in the response.

Default: false

parameters

iam_api_key
str
API key value.
include_history
bool
Defines if the entity history is included in the response.

Default: false

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/apikeys/details' -H 'Authorization: Bearer TOKEN' -H 'IAM-Apikey: APIKEY_VALUE' -H 'Content-Type: application/json'

Example request

getAPIKeysDetailsOptions := iamIdentityService.NewGetAPIKeysDetailsOptions()
getAPIKeysDetailsOptions.SetIamAPIKey(iamAPIKey)
getAPIKeysDetailsOptions.SetIncludeHistory(false)

apiKey, response, err := iamIdentityService.GetAPIKeysDetails(getAPIKeysDetailsOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(apiKey, "", "  ")
fmt.Println(string(b))

Example request

GetApiKeysDetailsOptions getApiKeysDetailsOptions = new GetApiKeysDetailsOptions.Builder()
    .iamApiKey(iamApiKey)
    .includeHistory(false)
    .build();

Response<ApiKey> response = service.getApiKeysDetails(getApiKeysDetailsOptions).execute();
ApiKey apiKey = response.getResult();

System.out.println(apiKey);

Example request

const params = {
  iamApiKey: iamApikey,
  includeHistory: false,
};

try {
  const res = await iamIdentityService.getApiKeysDetails(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

Example request

api_key = iam_identity_service.get_api_keys_details(iam_api_key=apikey).get_result()

print(json.dumps(api_key, indent=2))

Response

Response Body

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

Status Code

200
Successful Get of API key details.
400
Parameter validation failed.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
API key not found.
500
Internal Server error.

Example responses

Status 200

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "1-b4053b5d441613fdad4ff3c28db3e7cc",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T12:28+0000",
  "name": "apikey-test",
  "description": "apikey-test",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz"
}

Success example

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "1-b4053b5d441613fdad4ff3c28db3e7cc",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T12:28+0000",
  "name": "apikey-test",
  "description": "apikey-test",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz"
}

Returns the details of an API key. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to. In case of service IDs and their API keys, a user must be either an account owner, a IBM Cloud org manager or IBM Cloud space developer in order to manage service IDs of the entity.

GET /v1/apikeys/{id}

(iamIdentity *IamIdentityV1) GetAPIKey(getAPIKeyOptions *GetAPIKeyOptions) (result *APIKey, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) GetAPIKeyWithContext(ctx context.Context, getAPIKeyOptions *GetAPIKeyOptions) (result *APIKey, response *core.DetailedResponse, err error)

ServiceCall<ApiKey> getApiKey(GetApiKeyOptions getApiKeyOptions)

getApiKey(params)

get_api_key(self,
        id: str,
        *,
        include_history: bool = None,
        include_activity: bool = None,
        **kwargs
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-identity.apikey.get

Request

Instantiate the GetAPIKeyOptions struct and set the fields to provide parameter values for the GetAPIKey method.

Use the GetApiKeyOptions.Builder to create a GetApiKeyOptions object that contains the parameter values for the getApiKey method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Path Parameters

id
Required*
string
Unique ID of the API key.

Query Parameters

include_history
boolean
Defines if the entity history is included in the response.

Default: false
include_activity
boolean
Defines if the entity's activity is included in the response. Retrieving activity data is an expensive operation, so please only request this when needed.

Default: false

parameter

WithContext method only

GetApiKeyOptions

The GetAPIKey options.

GetApiKeyOptions

The getApiKey options.

parameters

id
Required*
string
Unique ID of the API key.
includeHistory
boolean
Defines if the entity history is included in the response.

Default: false
includeActivity
boolean
Defines if the entity's activity is included in the response. Retrieving activity data is an expensive operation, so please only request this when needed.

Default: false

parameters

id
Required*
str
Unique ID of the API key.
include_history
bool
Defines if the entity history is included in the response.

Default: false
include_activity
bool
Defines if the entity's activity is included in the response. Retrieving activity data is an expensive operation, so please only request this when needed.

Default: false

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/apikeys/APIKEY_UNIQUE_ID' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

Example request

getAPIKeyOptions := iamIdentityService.NewGetAPIKeyOptions(apikeyID)

getAPIKeyOptions.SetIncludeHistory(false)
getAPIKeyOptions.SetIncludeActivity(false)

apiKey, response, err := iamIdentityService.GetAPIKey(getAPIKeyOptions)
if err != nil {
  panic(err)
}
apikeyEtag = response.GetHeaders().Get("Etag")
b, _ := json.MarshalIndent(apiKey, "", "  ")
fmt.Println(string(b))

Example request

GetApiKeyOptions getApiKeyOptions = new GetApiKeyOptions.Builder()
    .id(apikeyId)
    .includeHistory(true)
    .includeActivity(true)
    .build();

Response<ApiKey> response = service.getApiKey(getApiKeyOptions).execute();
ApiKey apiKey = response.getResult();
apikeyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(apiKey);

Example request

const params = {
  id: apikeyId,
  includeActivity: true,
};

try {
  const res = await iamIdentityService.getApiKey(params);
  apikeyEtag = res.headers['etag'];
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

Example request

response = iam_identity_service.get_api_key(
  id=apikey_id,
  include_activity=True,
)

apikey_etag = response.get_headers()['Etag']
api_key = response.get_result()

print(json.dumps(api_key, indent=2))

Response

Response Body

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

Status Code

200
Successful Get of API key.
400
Parameter validation failed.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
API key with provided ID not found.
500
Internal Server error.

Example responses

Status 200

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "1-b4053b5d441613fdad4ff3c28db3e7cc",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T12:28+0000",
  "name": "apikey-test",
  "description": "apikey-test",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz"
}

Success example

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "1-b4053b5d441613fdad4ff3c28db3e7cc",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T12:28+0000",
  "name": "apikey-test",
  "description": "apikey-test",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz"
}

Updates properties of an API key. This does NOT affect existing access tokens. Their token content will stay unchanged until the access token is refreshed. To update an API key, pass the property to be modified. To delete one property's value, pass the property with an empty value "".Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to.

PUT /v1/apikeys/{id}

(iamIdentity *IamIdentityV1) UpdateAPIKey(updateAPIKeyOptions *UpdateAPIKeyOptions) (result *APIKey, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) UpdateAPIKeyWithContext(ctx context.Context, updateAPIKeyOptions *UpdateAPIKeyOptions) (result *APIKey, response *core.DetailedResponse, err error)

ServiceCall<ApiKey> updateApiKey(UpdateApiKeyOptions updateApiKeyOptions)

updateApiKey(params)

update_api_key(self,
        id: str,
        if_match: str,
        *,
        name: str = None,
        description: str = None,
        **kwargs
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-identity.apikey.update

Auditing

Calling this method generates the following auditing events.

Depending on the type of API key that you update, one of the following events is generated.

iam-identity.user-apikey.update
iam-identity.serviceid-apikey.update

Request

Instantiate the UpdateAPIKeyOptions struct and set the fields to provide parameter values for the UpdateAPIKey method.

Use the UpdateApiKeyOptions.Builder to create a UpdateApiKeyOptions object that contains the parameter values for the updateApiKey method.

Custom Headers

If-Match
Required*
string
Version of the API key to be updated. Specify the version that you retrieved when reading the API key. This value helps identifying parallel usage of this API. Pass * to indicate to update any version available. This might result in stale updates.
Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Path Parameters

id
Required*
string
Unique ID of the API key to be updated.

Request Body

Required*

UpdateApiKeyRequest

Request to update an API key.

parameter

WithContext method only

UpdateApiKeyOptions

The UpdateAPIKey options.

UpdateApiKeyOptions

The updateApiKey options.

parameters

id
Required*
string
Unique ID of the API key to be updated.
ifMatch
Required*
string
Version of the API key to be updated. Specify the version that you retrieved when reading the API key. This value helps identifying parallel usage of this API. Pass * to indicate to update any version available. This might result in stale updates.
name
string
The name of the API key to update. If specified in the request the parameter must not be empty. The name is not checked for uniqueness. Failure to this will result in an Error condition.
description
string
The description of the API key to update. If specified an empty description will clear the description of the API key. If a non empty value is provided the API key will be updated.

parameters

id
Required*
str
Unique ID of the API key to be updated.
if_match
Required*
str
Version of the API key to be updated. Specify the version that you retrieved when reading the API key. This value helps identifying parallel usage of this API. Pass * to indicate to update any version available. This might result in stale updates.
name
str
The name of the API key to update. If specified in the request the parameter must not be empty. The name is not checked for uniqueness. Failure to this will result in an Error condition.
description
str
The description of the API key to update. If specified an empty description will clear the description of the API key. If a non empty value is provided the API key will be updated.

Example request

curl -X PUT 'https://iam.cloud.ibm.com/v1/apikeys/APIKEY_UNIQUE_ID' -H 'Authorization: Bearer TOKEN' -H 'If-Match: <value of etag header from GET request>' -H 'Content-Type: application/json' -d '{
  "name": "My-apikey",
  "description": "my personal key"
}'

Example request

updateAPIKeyOptions := iamIdentityService.NewUpdateAPIKeyOptions(apikeyID, apikeyEtag)
updateAPIKeyOptions.SetDescription("This is an updated description")

apiKey, response, err := iamIdentityService.UpdateAPIKey(updateAPIKeyOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(apiKey, "", "  ")
fmt.Println(string(b))

Example request

UpdateApiKeyOptions updateApiKeyOptions = new UpdateApiKeyOptions.Builder()
    .id(apikeyId)
    .ifMatch(apikeyEtag)
    .description("This is an updated description")
    .build();

Response<ApiKey> response = service.updateApiKey(updateApiKeyOptions).execute();
ApiKey apiKey = response.getResult();

System.out.println(apiKey);

Example request

const params = {
  id: apikeyId,
  ifMatch: apikeyEtag,
  description: 'This is an updated description',
};

try {
  const res = await iamIdentityService.updateApiKey(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

Example request

api_key = iam_identity_service.update_api_key(
  id=apikey_id, if_match=apikey_etag, description='This is an updated description'
).get_result()

print(json.dumps(api_key, indent=2))

Response

Response Body

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

ApiKey

Response body format for API key V1 REST requests.

Status Code

200
Successful - API key updated.
400
Parameter validation failed.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
API key with provided parameters not found.
409
Conflict - there must have been an update in parallel, the specified If-Match header does not match the current API key record. Retrieve the current API key again and apply the changes to that version.
500
Internal Server error.

Example responses

Status 200

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "2-cc66d399c705d12b439f1992a465fd5b",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T13:45+0000",
  "name": "Apikey-test1",
  "description": "Apikey-test1",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz"
}

Success example

{
  "id": "ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "entity_tag": "2-cc66d399c705d12b439f1992a465fd5b",
  "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::apikey:ApiKey-5ccff000-9ff1-4481-a760-29c22a7603e7",
  "locked": false,
  "created_at": "2020-11-10T12:28+0000",
  "created_by": "IBMid-110000AB1Z",
  "modified_at": "2020-11-10T13:45+0000",
  "name": "Apikey-test1",
  "description": "Apikey-test1",
  "iam_id": "IBMid-110000AB1Z",
  "account_id": "100abcde100a41abc100aza678abc0zz"
}

Deletes an API key. Existing tokens will remain valid until expired. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to.

DELETE /v1/apikeys/{id}

(iamIdentity *IamIdentityV1) DeleteAPIKey(deleteAPIKeyOptions *DeleteAPIKeyOptions) (response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) DeleteAPIKeyWithContext(ctx context.Context, deleteAPIKeyOptions *DeleteAPIKeyOptions) (response *core.DetailedResponse, err error)

ServiceCall<Void> deleteApiKey(DeleteApiKeyOptions deleteApiKeyOptions)

deleteApiKey(params)

delete_api_key(self,
        id: str,
        **kwargs
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-identity.apikey.delete

Auditing

Calling this method generates the following auditing events.

Depending on the type of API key that you delete, one of the following events is generated.

iam-identity.user-apikey.delete
iam-identity.serviceid-apikey.delete

Request

Instantiate the DeleteAPIKeyOptions struct and set the fields to provide parameter values for the DeleteAPIKey method.

Use the DeleteApiKeyOptions.Builder to create a DeleteApiKeyOptions object that contains the parameter values for the deleteApiKey method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Path Parameters

id
Required*
string
Unique ID of the API key.

parameter

WithContext method only

DeleteApiKeyOptions

The DeleteAPIKey options.

DeleteApiKeyOptions

The deleteApiKey options.

parameters

id
Required*
string
Unique ID of the API key.

parameters

id
Required*
str
Unique ID of the API key.

Example request

curl -X DELETE 'https://iam.cloud.ibm.com/v1/apikeys/APIKEY_UNIQUE_ID' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

Example request

deleteAPIKeyOptions := iamIdentityService.NewDeleteAPIKeyOptions(apikeyID)

response, err := iamIdentityService.DeleteAPIKey(deleteAPIKeyOptions)
if err != nil {
  panic(err)
}

Example request

DeleteApiKeyOptions deleteApiKeyOptions = new DeleteApiKeyOptions.Builder()
    .id(apikeyId)
    .build();

Response<Void> response = service.deleteApiKey(deleteApiKeyOptions).execute();

Example request

const params = {
  id: apikeyId,
};

try {
  await iamIdentityService.deleteApiKey(params);
} catch (err) {
  console.warn(err);
}

Example request

response = iam_identity_service.delete_api_key(id=apikey_id)

Response

Status Code

204
Deleted Successful - no further details.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
API key with given ID not found.
409
Conflict - ApiKey could not be deleted.
500
Internal Server error.

No Sample Response

This method does not specify any sample responses.

Locks an API key by ID. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to. In case of service IDs and their API keys, a user must be either an account owner, a IBM Cloud org manager or IBM Cloud space developer in order to manage service IDs of the entity.

POST /v1/apikeys/{id}/lock

(iamIdentity *IamIdentityV1) LockAPIKey(lockAPIKeyOptions *LockAPIKeyOptions) (response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) LockAPIKeyWithContext(ctx context.Context, lockAPIKeyOptions *LockAPIKeyOptions) (response *core.DetailedResponse, err error)

ServiceCall<Void> lockApiKey(LockApiKeyOptions lockApiKeyOptions)

lockApiKey(params)

lock_api_key(self,
        id: str,
        **kwargs
    ) -> DetailedResponse

Auditing

Calling this method generates the following auditing events.

Depending on the type of API key that you lock, one of the following events is generated.

iam-identity.user-apikey.update
iam-identity.serviceid-apikey.update

Request

Instantiate the LockAPIKeyOptions struct and set the fields to provide parameter values for the LockAPIKey method.

Use the LockApiKeyOptions.Builder to create a LockApiKeyOptions object that contains the parameter values for the lockApiKey method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Path Parameters

id
Required*
string
Unique ID of the API key.

parameter

WithContext method only

LockApiKeyOptions

The LockAPIKey options.

LockApiKeyOptions

The lockApiKey options.

parameters

id
Required*
string
Unique ID of the API key.

parameters

id
Required*
str
Unique ID of the API key.

Example request

curl -X POST 'https://iam.cloud.ibm.com/v1/apikeys/APIKEY_UNIQUE_ID/lock' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

Example request

lockAPIKeyOptions := iamIdentityService.NewLockAPIKeyOptions(apikeyID)

response, err := iamIdentityService.LockAPIKey(lockAPIKeyOptions)
if err != nil {
  panic(err)
}

Example request

LockApiKeyOptions lockApiKeyOptions = new LockApiKeyOptions.Builder()
    .id(apikeyId)
    .build();

Response<Void> response = service.lockApiKey(lockApiKeyOptions).execute();

Example request

const params = {
  id: apikeyId,
};

try {
  await iamIdentityService.lockApiKey(params);
} catch (err) {
  console.warn(err);
}

Example request

response = iam_identity_service.lock_api_key(id=apikey_id)

Response

Status Code

204
Successful locked.
400
Parameter validation failed.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
API key with provided ID not found.
500
Internal Server error.

No Sample Response

This method does not specify any sample responses.

Unlocks an API key by ID. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to. In case of service IDs and their API keys, a user must be either an account owner, a IBM Cloud org manager or IBM Cloud space developer in order to manage service IDs of the entity.

DELETE /v1/apikeys/{id}/lock

(iamIdentity *IamIdentityV1) UnlockAPIKey(unlockAPIKeyOptions *UnlockAPIKeyOptions) (response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) UnlockAPIKeyWithContext(ctx context.Context, unlockAPIKeyOptions *UnlockAPIKeyOptions) (response *core.DetailedResponse, err error)

ServiceCall<Void> unlockApiKey(UnlockApiKeyOptions unlockApiKeyOptions)

unlockApiKey(params)

unlock_api_key(self,
        id: str,
        **kwargs
    ) -> DetailedResponse

Auditing

Calling this method generates the following auditing events.

Depending on the type of API key that you unlock, one of the following events is generated.

iam-identity.user-apikey.update
iam-identity.serviceid-apikey.update

Request

Instantiate the UnlockAPIKeyOptions struct and set the fields to provide parameter values for the UnlockAPIKey method.

Use the UnlockApiKeyOptions.Builder to create a UnlockApiKeyOptions object that contains the parameter values for the unlockApiKey method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Path Parameters

id
Required*
string
Unique ID of the API key.

parameter

WithContext method only

UnlockApiKeyOptions

The UnlockAPIKey options.

UnlockApiKeyOptions

The unlockApiKey options.

parameters

id
Required*
string
Unique ID of the API key.

parameters

id
Required*
str
Unique ID of the API key.

Example request

curl -X DELETE 'https://iam.cloud.ibm.com/v1/apikeys/APIKEY_UNIQUE_ID/lock' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

Example request

unlockAPIKeyOptions := iamIdentityService.NewUnlockAPIKeyOptions(apikeyID)

response, err := iamIdentityService.UnlockAPIKey(unlockAPIKeyOptions)
if err != nil {
  panic(err)
}

Example request

UnlockApiKeyOptions unlockApiKeyOptions = new UnlockApiKeyOptions.Builder()
    .id(apikeyId)
    .build();

Response<Void> response = service.unlockApiKey(unlockApiKeyOptions).execute();

Example request

const params = {
  id: apikeyId,
};

try {
  await iamIdentityService.unlockApiKey(params);
} catch (err) {
  console.warn(err);
}

Example request

response = iam_identity_service.unlock_api_key(id=apikey_id)

Response

Status Code

204
Successful unlocked.
400
Parameter validation failed.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
404
API key with provided ID not found.
500
Internal Server error.

No Sample Response

This method does not specify any sample responses.

Returns a list of service IDs. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to. Note: apikey details are only included in the response when creating a Service ID with an apikey.

GET /v1/serviceids/

(iamIdentity *IamIdentityV1) ListServiceIds(listServiceIdsOptions *ListServiceIdsOptions) (result *ServiceIDList, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) ListServiceIdsWithContext(ctx context.Context, listServiceIdsOptions *ListServiceIdsOptions) (result *ServiceIDList, response *core.DetailedResponse, err error)

ServiceCall<ServiceIdList> listServiceIds(ListServiceIdsOptions listServiceIdsOptions)

listServiceIds(params)

list_service_ids(self,
        *,
        account_id: str = None,
        name: str = None,
        pagesize: int = None,
        pagetoken: str = None,
        sort: str = None,
        order: str = None,
        include_history: bool = None,
        **kwargs
    ) -> DetailedResponse

Request

Instantiate the ListServiceIdsOptions struct and set the fields to provide parameter values for the ListServiceIds method.

Use the ListServiceIdsOptions.Builder to create a ListServiceIdsOptions object that contains the parameter values for the listServiceIds method.

Custom Headers

Authorization
Required*
string
Authorization Token used for the request. The supported token type is a Cloud IAM Access Token. If the token is omitted the request will fail with BXNIM0308E: 'No authorization header found'. Please make sure that the provided token has the required authority for the request.

Query Parameters

account_id
string
Account ID of the service ID(s) to query. This parameter is required (unless using a pagetoken).
name
string
Name of the service ID(s) to query. Optional.20 items per page. Valid range is 1 to 100.
pagesize
integer
Optional size of a single page. Default is 20 items per page. Valid range is 1 to 100.
pagetoken
string
Optional Prev or Next page token returned from a previous query execution. Default is start with first page.
sort
string
Optional sort property, valid values are name, description, created_at and modified_at. If specified, the items are sorted by the value of this property.
order
string
Optional sort order, valid values are asc and desc. Default: asc.

Allowable values: [asc,desc]
Default: asc
include_history
boolean
Defines if the entity history is included in the response.

Default: false

parameter

WithContext method only

ListServiceIdsOptions

The ListServiceIds options.

ListServiceIdsOptions

The listServiceIds options.

parameters

accountId
string
Account ID of the service ID(s) to query. This parameter is required (unless using a pagetoken).
name
string
Name of the service ID(s) to query. Optional.20 items per page. Valid range is 1 to 100.
pagesize
number
Optional size of a single page. Default is 20 items per page. Valid range is 1 to 100.
pagetoken
string
Optional Prev or Next page token returned from a previous query execution. Default is start with first page.
sort
string
Optional sort property, valid values are name, description, created_at and modified_at. If specified, the items are sorted by the value of this property.
order
string
Optional sort order, valid values are asc and desc. Default: asc.

Allowable values: [asc,desc]
Default: asc
includeHistory
boolean
Defines if the entity history is included in the response.

Default: false

parameters

account_id
str
Account ID of the service ID(s) to query. This parameter is required (unless using a pagetoken).
name
str
Name of the service ID(s) to query. Optional.20 items per page. Valid range is 1 to 100.
pagesize
int
Optional size of a single page. Default is 20 items per page. Valid range is 1 to 100.
pagetoken
str
Optional Prev or Next page token returned from a previous query execution. Default is start with first page.
sort
str
Optional sort property, valid values are name, description, created_at and modified_at. If specified, the items are sorted by the value of this property.
order
str
Optional sort order, valid values are asc and desc. Default: asc.

Allowable values: [asc,desc]
Default: asc
include_history
bool
Defines if the entity history is included in the response.

Default: false

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/serviceids?account_id=ACCOUNT_ID&name=My-serviceID' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

Example request

listServiceIdsOptions := iamIdentityService.NewListServiceIdsOptions()
listServiceIdsOptions.SetAccountID(accountID)
listServiceIdsOptions.SetName(serviceIDName)

serviceIDList, response, err := iamIdentityService.ListServiceIds(listServiceIdsOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(serviceIDList, "", "  ")
fmt.Println(string(b))

Example request

ListServiceIdsOptions listServiceIdsOptions = new ListServiceIdsOptions.Builder()
    .accountId(accountId)
    .name(serviceIdName)
    .build();

Response<ServiceIdList> response = service.listServiceIds(listServiceIdsOptions).execute();
ServiceIdList serviceIdList = response.getResult();

System.out.println(serviceIdList);

Example request

const params = {
  accountId: accountId,
  name: serviceIdName,
};

try {
  const res = await iamIdentityService.listServiceIds(params)
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

Example request

service_id_list = iam_identity_service.list_service_ids(
  account_id=account_id, name=serviceid_name
).get_result()

print(json.dumps(service_id_list, indent=2))

Response

Response Body

ServiceIdList

Response body format for the list service ID V1 REST request.

ServiceIdList

Response body format for the list service ID V1 REST request.

ServiceIdList

Response body format for the list service ID V1 REST request.

ServiceIdList

Response body format for the list service ID V1 REST request.

ServiceIdList

Response body format for the list service ID V1 REST request.

Status Code

200
Successful response. No further actions.
400
Parameter validation failed. Response if required parameters are missing or if parameter values are invalid.
401
The incoming request did not contain a valid authentication information.
403
The incoming request is valid but the user is not allowed to perform the requested action.
500
Internal Server error. Response if unexpected error situation happened.

Example responses

Status 200

{
  "offset": 0,
  "limit": 1,
  "first": {
    "href": "https://iam.cloud.ibm.com/v1/serviceids?account_id=accountId"
  },
  "next": {
    "href": "https://iam.cloud.ibm.com/v1/serviceids?pagetoken=pageToken"
  },
  "serviceids": {
    "id": "ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
    "iam_id": "iam-ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
    "entity_tag": "3-c46d2fd21b701adf7eb67cfd1a498fde",
    "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::serviceid:ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
    "locked": false,
    "created_at": "2020-10-16T10:36+0000",
    "modified_at": "2020-10-16T10:36+0000",
    "account_id": "100abcde100a41abc100aza678abc0zz",
    "name": "serviceId-test",
    "description": "serviceId-test",
    "unique_instance_crns": []
  }
}

Success example

{
  "offset": 0,
  "limit": 1,
  "first": {
    "href": "https://iam.cloud.ibm.com/v1/serviceids?account_id=accountId"
  },
  "next": {
    "href": "https://iam.cloud.ibm.com/v1/serviceids?pagetoken=pageToken"
  },
  "serviceids": {
    "id": "ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
    "iam_id": "iam-ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
    "entity_tag": "3-c46d2fd21b701adf7eb67cfd1a498fde",
    "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::serviceid:ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
    "locked": false,
    "created_at": "2020-10-16T10:36+0000",
    "modified_at": "2020-10-16T10:36+0000",
    "account_id": "100abcde100a41abc100aza678abc0zz",
    "name": "serviceId-test",
    "description": "serviceId-test",
    "unique_instance_crns": []
  }
}

Creates a service ID for an IBM Cloud account. Users can manage user API keys for themself, or service ID API keys for service IDs that are bound to an entity they have access to.

POST /v1/serviceids/

(iamIdentity *IamIdentityV1) CreateServiceID(createServiceIDOptions *CreateServiceIDOptions) (result *ServiceID, response *core.DetailedResponse, err error)

(iamIdentity *IamIdentityV1) CreateServiceIDWithContext(ctx context.Context, createServiceIDOptions *CreateServiceIDOptions) (result *ServiceID, response *core.DetailedResponse, err error)

ServiceCall<ServiceId> createServiceId(CreateServiceIdOptions createServiceIdOptions)

createServiceId(params)

create_service_id(self,
        account_id: str,
        name: str,
        *,
        description: str = None,
        unique_instance_crns: List[str] = None,
        apikey: 'ApiKeyInsideCreateServiceIdRequest' = None,
        entity_lock: str = None,
        **kwargs
    ) -> DetailedResponse

Introduction

Endpoint URLs

Authentication

Auditing

Error handling

Additional headers

Methods

Get API keys for a given service or user IAM ID and account ID

Authorization

Request

Custom Headers

Authorization

Query Parameters

account_id

iam_id

pagesize

pagetoken

scope

type

sort

order

include_history

parameter

ctx

ListApiKeysOptions

AccountID

IamID

Pagesize

Pagetoken

Scope

Type

Sort

Order

IncludeHistory

ListApiKeysOptions

accountId

iamId

pagesize

pagetoken

scope

type

sort

order

includeHistory

parameters

accountId

iamId

pagesize

pagetoken

scope

type

sort

order

includeHistory

parameters

account_id

iam_id

pagesize

pagetoken

scope

type

sort

order

include_history

Response

Response Body

apikeys

context

offset

limit

first

previous

next

ApiKeyList

Context

TransactionID

Operation

UserAgent

URL

InstanceID