Getting the Object Storage credentials
To work with Object Storage in IBM Analytics Engine, you need the Object Storage credentials which can be the:
- API key: The IAM API key and the Object Storage service endpoint
- HMAC keys: The access key, secret key and the Object Storage service endpoint
Access management in Object Storage
To securely authenticate to Object Storage, you need to understand the concepts of Identity and Access Management (IAM), and how and when to use service credentials and API Keys in the context of Object Storage. As the service administrator, IAM offers you flexibility and fine-grained access control to a service instance and it's resources both for direct platform access and service API calls. See IAM overview.
The following diagram illustrates access management to Object Storage.
As the Object Storage administrator, you can:
Creating service IDs
When you create service IDs to access an Object Storage service instance, the IDs are Object Storage service IDs and not IDs tied to a user.
As system administrator, you can:
-
Create service IDs with access rights at instance level
You determine the degree of access to all Object Storage buckets in the instance by assigning a service access role to the credential. This can be Reader, Writer or Manager role. If needed, you can create several service IDs for the same instance with different access roles. See Creating a service ID at instance level.
-
Create service IDs with access rights at bucket level
You specify the Object Storage buckets in the instance that can be accessed by the service ID. Here too, if needed, you can create several service IDs with access rights to different buckets. See Creating a service ID at bucket level.
Sharing service IDs
The service ID credentials can readily be used by one user. However, if the Object Storage instance needs to be shared by more than one users, you as the Object Storage service administrator can:
- Share the service ID credentials with other users
- Share the Object Storage instance itself (at platform level) with other users, enabling these users to see the credentials for themselves
Structure of service IDS
When you, as user of Object Storage, view the service ID credentials of a provisioned service, you will see something like what is shown in the following example:
{
"apikey": "asdf1234...",
"cos_hmac_keys": {
"access_key_id": "a1b2c3...",
"secret_access_key": "ZYX31..."
},
"endpoints": ...
}
To configure IBM Analytics Engine to work with Object Storage, you need the API key or the HMAC keys. See API key versus HMAC keys.
Service endpoints
As a user of Object Storage, you not only need to know the API key or the HMAC keys to configure Object Storage, but also the IBM Analytics Engine service endpoints to connect to Object Storage. See Selecting regions and endpoints for help on which endpoints to use based on your Object Storage bucket type, such as regional versus cross-regional.
You can also view the endpoints across regions for your Object Storage service by selecting the service on your IBM Cloud® dashboard and clicking Endpoint in the navigation pane. Always choose the direct endpoint.
Direct endpoint provide better performance and do not incur charges. An example of an endpoint for US-South Cross region is:
s3.direct.us.cloud-object-storage.appdomain.cloud
Inviting users and granting permissions
If you, as Object Storage administrator, do not want to create and share the service credentials, you can invite users to your Object Storage account and grant them permissions by using access policies on Object Storage buckets. The invited users access your account by using their IBM Cloud® API keys. See Assigning access to user groups.
Structure of the API key
When you, as user of Object Storage, view an API key in IBM Cloud®, you will notice that it has the following structure:
{
"name": "MyAPIKey",
"description": "",
"createdAt": "2019-07...",
"apiKey": "lipsum999..."
}
If you need an API key to use with Object Storage, see Creating an API key.
Summary
The following table shows you which access method to the Object Storage service to select for the action you want to carry out.
| Action | Type: Service ID | Type: API key |
|---|---|---|
| Create credentials | Service administrator | Service users |
| Grant access permissions | Service administrator | Service administrator |
| Select credential type | HMAC and IAM API keys | IAM API key only |
| Control access for user roles and data buckets | Yes | Yes |