Authenticating with IBM Cloudant FAQ

What is the difference between IBM Cloudant legacy and IAM access controls?

Why is the Use only IAM mode preferred?

The Use only IAM mode means that only IAM credentials are provided through service binding and credential generation. You gain the following advantages when you use IBM Cloud IAM:

• Managing access to IBM Cloudant with the standard tooling of IBM Cloud.
• Using credentials that you can easily revoke and rotate when you use IBM Cloud IAM.

For more information about the advantages and disadvantages between these modes, see Advantages and disadvantages of the two access control mechanisms.

How can I create an instance by using the command line?

When you create a new IBM Cloudant instance from the command line, you must include the ibmcloud tool by using the -p parameter. This parameter enables or disables legacy credentials for an account by passing the option in JSON format. The option is called legacyCredentials.

To create an instance as Use only IAM, run the following command:

ibmcloud resource service-instance-create  "Instance Name" \
    cloudantnosqldb Standard us-south \
    -p '{"legacyCredentials": false}'

If you don't use Use only IAM mode when you use the IAM Reader and Writer roles, you might grant users legacy credentials with more access permissions than you intended.

How can I generate service credentials?

You can generate service credentials in the primary IBM Cloud IAM interface. When you select Use only IAM, service credentials include only IAM values. The service credential JSON looks like the following example:

{
  "apikey": "MxVp86XHkU82Wc97tdvDF8qM8B0Xdit2RqR1mGfVXPWz",
  "host": "2922d728-27c0-4c7f-aa80-1e59fbeb04d0-bluemix.cloudant.com",
  "iam_apikey_description": "Auto generated apikey during resource-key [...]",
  "iam_apikey_name": "auto-generated-apikey-050d21b5-5f[...]",
  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
  "iam_serviceid_crn": "crn:v1:staging:public:iam-identity::[...]",
  "url": "https://76838001-b883-444d-90d0-46f89e942a15-bluemix.cloudant.com",
  "username": "76838001-b883-444d-90d0-46f89e942a15-bluemix"
}

The values for the previous example are described in the following list:

apikey

IAM API key.

host

The DNS that resolves domain names with their corresponding IP addresses.

iam_apikey_description

Description of IAM API key.

iam_apikey_name

ID of IAM API key.

iam_role_crn

The IAM role that the IAM API key has.

iam_serviceid_crn

The CRN of service ID.

url

IBM Cloudant service URL.

username

The internal IBM Cloudant account name.

For more information, see IBM Cloud API keys and Use only IAM.

How do I rotate my credentials?

In most cases, rotating credentials is a straight-forward process:

1. Generate a replacement service credential. For more information, see How can I generate service credentials?.

2. Replace the current credential with the newly generated credential.

3. Delete the no-longer-used service credential.

However, when you rotate the credentials for a replication, if you are using legacy credentials in the replication document, the replication starts from the beginning. To ensure that changes arrive in a timely manner, we advise you to create a new replication once it catches up with deleting the previous replication and the associated service credential. The process is described in the following steps:

1. Generate a replacement service credential. For more information, see How can I generate service credentials?.

2. Create a replication with the same settings but new credentials.

3. Monitor the new replication by using Active Tasks, or you can use _scheduler/jobs.

4. Once the changes_pending field for the new replication is a suitably low value for your requirements, the replication that uses the previous credentials can be deleted.

5. Delete the no-longer-used service credential.

Replications that use IAM API keys can be updated to use a new API key directly, without delaying the changes that are replicating.