IBM Cloud Docs
Using trusted profiles to authorize a project to deploy an architecture

Using trusted profiles to authorize a project to deploy an architecture

Some services can't fully configure and deploy architectures by using trusted profiles. For more information, see Known issues and limitations for projects.

When you configure your deployable architecture, you are required to select an authentication method. A project can apply a trusted profile, which grants the project access to deploy an architecture in the account where the trusted profile exists. This way, you can securely deploy an architecture without the need for key rotation.

The project uses the trusted profile to create a service ID with the same permissions as the trusted profile and a fresh API key for that service ID to authorize each deployment. Because the temporary API key exists only for the lifetime of the operation, this improves security because it's harder to misuse. The trusted profile needs access to create a service ID and create and delete API keys for the service ID, as well as access to deploy the deployable architecture.

Deploying an architecture in your account or another account

You can deploy an architecture in your own account or in another account, also called a target account, by using trusted profiles.

Depending on your organization, deploying an architecture might require access to another account by using a trusted profile and coordinating with administrators in multiple accounts. If the IBM Cloud Projects service in another account needs access to your account to deploy an architecture, use trusted profiles and service IDs to authorize deployments in your account.

Before you begin

Make sure that you create the trusted profile in the account where you want to deploy the architecture. If you have the following access, you can create trusted profiles:

  • Account owner
  • Administrator role on all account management services
  • Administrator role on the IAM Identity Service. For more information, see IAM Identity service.

All users have access to create a service ID in an account to which they are a member.

Creating an access group for the trusted profile

With access groups, you can streamline the access assignment process so that you can manage fewer policies in an account, which in turn increases performance. Your trusted profile inherits the access policies that you assigned to the access group. For more information, go to Access groups.

If you don't already have one, create an access group for your trusted profile that can do the following:

  • Create a service ID
  • Create and delete API keys for the service ID
  • Deploy the deployable architecture
  1. Click Manage > Access (IAM), and select Access groups.

  2. Click Create.

  3. Provide a name and optionally, a description for the access group.

  4. Click Create.

  5. Within the access group, click Access.

  6. Click Assign access.

  7. Create a policy that grants access to create service IDs and manage service ID API keys:

    1. Select the IAM Identity Service and click Next.
    2. Select All resources and click Next.
    3. Select the Service ID Creator role, the User API key creator role, and the Administrator role and click Next.
    4. Click Add.

    This enables the project to generate a unique, temporary API key for each deployment, avoiding the need to manually rotate API keys. For more information, see Required access for managing service ID API keys

  8. Create a policy that grants access to manage access groups. This policy is needed to assign a temporary service ID to the same access group as the trusted profile:

    1. Select the IAM Access Groups Service and click Next.
    2. Select All resources and click Next.
    3. Select the Administrator role and click Next.
    4. Click Add.
  9. Create policies that grant access to deploy the architecture. These policies can vary depending on the deployable architecture.

    You can choose from a few approaches to grant the service ID access to authorize deployments in your account. See Granting wide-ranging access, Granting specific access, or Granting specific access to existing resources for more information.

  10. Click Assign.

Granting wide-ranging access

Grant the trusted profile Administrator access to everything in the account by assigning two policies. Consider this option if you plan to deploy many deployable architectures to the same target account. Deployable architectures usually require extensive privileges in the target account since they typically deploy and configure a wide range of services and IAM policies on those services. You can use the same trusted profile for different deployable architectures across projects, eliminating the need to continuously update the trusted profile's access policies.

It's secure and convenient to give the trusted profile a wide range of access because the profile contains only a platform service, and not users. Projects also have many governance checks already in place, including pre-deployment validation and a required approval process. By granting Administrator access now, you don't need to update the policy for the multiple deployable architectures that you might use that require different levels of access. This is more secure than directly authorizing a user to have any privileges in the target account.

To grant wide-ranging access, assign two more policies to the access group. Complete the following steps:

  1. To create the first policy, select All Identity and Access enabled services and click Next.
    1. Select All resources and click Next.
    2. For the resource group access, select the Administrator role and click Next.
    3. Select the Manager service role and the Administrator platform role.
    4. Click Add.
  2. For the second policy, select All Account Management services and click Next.
    1. Select the Administrator role and click Next.
    2. Click Add.
  3. Click Assign.

Granting specific access based on the deployable architecture

Grant the trusted profile the minimum required access role for the configuration that you're deploying. Choose this option if you have one or only a few deployable architectures with the same access requirements that you plan to deploy to the same target account.

View the catalog page for specific access roles that are required for a given deployable architecture.

  1. In the IBM Cloud console, click Catalog.

  2. Search for and select the deployable architecture that you're deploying.

  3. Click Permissions to view the required access roles.

    You must be logged in to IBM Cloud to view the Permissions tab.

  4. Continue by assigning the required access roles that you viewed in the previous step.

    Assign policies to the access group that the trusted profile is assigned to.

  5. Click Assign.

Granting specific access to existing resources

If you are using a trusted profile to organize existing resources in a project, you can grant the trusted profile access to specific resources, as opposed to all of them. Choose this option if you want to limit which existing resources a project can manage.

Assign the following policies to the access group that the trusted profile is assigned to.

To grant specific access to existing resources, assign two more policies to the access group. Complete the following steps:

  1. To create the first policy, select All Identity and Access enabled services and click Next.
    1. Select Specific resources, scope the access to the resources you want, and click Next.
    2. For the resource group access, select the Administrator role and click Next.
    3. Select the Manager service role and the Administrator platform role.
    4. Click Add.
  2. For the second policy, select Identity and Access Management and click Next.
    1. Select All resources and click Next.
    2. Select the Administrator role and click Next.
    3. Click Add.
  3. Click Assign.

Creating the trusted profile

After you create the access group and assign policies to it, create the trusted profile and add it to the access group. The trusted profile inherits the access policies that are assigned to the access group.

Complete the following steps:

  1. Find the project CRN. The CRN is used to authorize deployments to a target account.

    • To find the project CRN while you're editing a project configuration, click the tooltip icon on the trusted_profile_id field and copy the CRN.
    • Otherwise, go to Menu Menu icon > Projects and click the relevant project. Click Manage > Details and copy the CRN.
  2. Confirm that you are in the target account to which the project deploys.

  3. In the IBM Cloud® console, click Manage > Access (IAM), and select Trusted profiles.

  4. Click Create.

  5. Describe your profile by providing a name and a description, then click Continue.

    In the description, provide a list of actions available for this trusted profile.

  6. Select IBM Cloud services.

  7. Input the CRN from step 1.

  8. In the description, enter the project name and any relevant notes.

  9. Click Continue.

  10. Select the access group that contains the policies that your trusted profile requires and click Add.

  11. Click Create.

Creating the service ID

After you create the trusted profile, it auto-generates a service ID. The service ID name begins with iam-Profile, ends with platform-project-access, and includes the ID of the trusted profile in between. If the service ID is ever deleted, it's re-created the next time that the trusted profile is used.

Coordinating with the administrator on the IBM Cloud Projects service

The project user who edits the architecture configuration needs identifying information for the trusted profile that you created to complete the authorization. Users need the Operator role or higher on the IBM Cloud Projects service to edit a configuration.

To retrieve the trusted profile ID value, complete the following steps.

Finding the trusted profile ID

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Trusted profiles.
  2. Select the profile that you created for the deployable architecture authorization.
  3. Click Details.
  4. Copy the Profile ID that begins with Profile.
  5. Give this ID to the relevant project user.