Managing access for IBM Cloudant
IBM Cloud® Identity and Access Management provides a unified approach to managing user identities, services, and access control.
The following text describes the integration of IBM® Cloudant® for IBM Cloud® with IBM Cloud Identity and Access Management. The following topics are discussed:
- Differences between IBM Cloudant legacy access controls and IBM Cloud IAM access controls.
- Advantages and disadvantages of each to help you decide which to use.
- How to use IAM within IBM Cloudant's client libraries by using HTTP calls.
- Description of the IAM actions and roles available within IBM Cloudant.
For more information, see an overview of IAM that includes the following topics:
- Manage user and service IDs.
- Manage available credentials.
- Use IAM access policies that allow and revoke access to IBM Cloudant service instances.
Differences between IBM Cloudant legacy access controls and IAM access controls
The following section provides a brief overview of the differences between IBM Cloudant legacy access controls and IBM Cloud IAM's access control mechanisms.
IBM Cloud Identity and Access Management
- Centrally managed access management across IBM Cloud.
- Allow a user or service to access many different resources by using the same set of credentials (for example, same username and password or IAM API key).
- IAM API keys can be granted access to account management functions, like creating new databases.
IBM Cloudant legacy access controls
- Unique to IBM Cloudant.
- Access to each service instance requires its own set of credentials.
- Uses HTTP basic authentication with credentials that are not bound to an individual user or service.
- IBM Cloudant API keys can be granted permissions only at a database level.
API key notes
In this document, wherever API keys are mentioned it refers to IAM API keys. IBM Cloudant legacy access controls also have a concept of API keys, and any discussion about IBM Cloudant legacy credentials or username and password combinations also includes IBM Cloudant API keys.
Enabling IAM with IBM Cloudant
All IBM Cloudant service instances provisioned July 2018 or later are provisioned in Resource Groups and are enabled with IBM Cloud IAM. Optionally, you can choose to also enable the IBM Cloudant legacy authentication mechanism. When you provision a new IBM Cloudant instance from the IBM Cloud catalog, select one of the following authentication methods.
- Use both legacy credentials and IAM
- This mode means that both IAM and legacy credentials can be used to access the account. In particular, both IAM and legacy sets of credentials are provided to all applications bound to the account and service credentials generated.
- Use only IAM
- This mode means that only IAM credentials are provided by using Service binding and credential generation.
When you use IAM roles other than Manager, such as Reader, Writer, Monitor, or Checkpointer, you must use Use only IAM to avoid supplying users with legacy
credentials that include greater access permissions.
IBM Cloudant service instances that are provisioned previously in a Cloud Foundry org and space can be migrated to a Resource Group. After you migrate to a Resource Group, the instance is enabled with IBM Cloud IAM. For more information, see the Resource Groups FAQ about how to migrate.
IBM Cloudant API keys and Use only IAM
Use of IBM Cloudant API keys alongside IAM is possible but not recommended. This recommendation is made because IBM Cloudant API keys and permissions are not visible or manageable by using the IAM policy interface, rendering holistic access management impossible.
The choice between Use only IAM or Use both legacy credentials and IAM affects the following factors:
- Whether legacy IBM Cloudant account-level credentials are available to manage databases and other account-level actions.
- The style of credentials that are delivered during service credential generation.
In particular, IBM Cloudant API keys can still be used to manage database access. These credentials must be generated and configured by using the HTTP API.
Provisioning by using the command line
When you provision a new IBM Cloudant instance from the command line, provide an option to the ibmcloud tool by using the -p parameter to enable or disable legacy credentials for an account. The option is passed in
JSON format and is called legacyCredentials.
To provision an instance as Use only IAM (recommended), run the following command:
ibmcloud resource service-instance-create "Instance Name" \
cloudantnosqldb Standard us-south \
-p {"legacyCredentials": false}
When you use IAM roles other than Manager, such as Reader, Writer, Monitor, or Checkpointer, you must use Use only IAM to avoid supplying users with
legacy credentials that include greater access permissions.
To provision an instance as Use both legacy credentials and IAM, run the following command:
ibmcloud resource service-instance-create "Instance Name" \
cloudantnosqldb Standard us-south \
-p {"legacyCredentials": true}
Service credential JSON examples for each option
The choice between Use only IAM and Use both legacy credentials and IAM access control affects how credentials are delivered to your application when you bind and generate service credentials. When you generate credentials within the primary IBM Cloud IAM interface, API keys are shown in that interface when generated.
You can also generate credentials from the Service Credentials section of a service instance. Generating service credentials this way creates a service credentials JSON blob that can be pasted into applications with all the details that are needed to access the service instance.
Next, you can see what the service credential JSON looks like and what each value means.
When you select Use only IAM, the service credentials that are generated contain only IAM values, and look like the following example.
{
"apikey": "MxVp86XHkU82Wc97tdvDF8qM8B0Xdit2RqR1mGfVXPWz",
"iam_apikey_description": "Auto generated apikey during resource-key [...]",
"iam_apikey_name": "auto-generated-apikey-050d21b5-5f[...]",
"iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"iam_serviceid_crn": "crn:v1:staging:public:iam-identity::[...]",
"url": "https://76838001-b883-444d-90d0-46f89e942a15-bluemix.cloudant.com",
"username": "76838001-b883-444d-90d0-46f89e942a15-bluemix"
}
Each value in the previous JSON example must be interpreted by using the following definitions:
apikey- IAM API key.
iam_apikey_description- Description of IAM API key.
iam_apikey_name- ID of IAM API key.
iam_role_crn- The IAM role that the IAM API key has.
iam_serviceid_crn- The CRN of service ID.
url- IBM Cloudant service URL.
username- The internal IBM Cloudant account name.
When you select Use both legacy credentials and IAM, the service credentials that are generated contain both IAM and legacy credentials, and look like the values in the following example.
{
"apikey": "MxVp86XHkU82Wc97tdvDF8qM8B0Xdit2RqR1mGfVXPWz",
"host": "76838001-b883-444d-90d0-46f89e942a15-bluemix.cloudant.com",
"iam_apikey_description": "Auto generated apikey during resource-key [...]",
"iam_apikey_name": "auto-generated-apikey-050d21b5-5f[...]",
"iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"iam_serviceid_crn": "crn:v1:staging:public:iam-identity::[...]",
"password": "8fb6a16b48903e87b769e7f4968521e85c2394ed8f0e69b2769e56dcb27d2e76",
"port": 443,
"url": "https://<username>:<password>@76838001-b883-444d-90d0-46f89e942a15-bluemix.cloudant.com",
"username": "apikey-v2-58B528DF5397465BB6673E1B79482A8C"
}
Each value in the previous JSON example must be interpreted by using the following definitions:
apikey- IAM API key.
host- IBM Cloudant service hostname.
iam_apikey_description- Description of IAM API key.
iam_apikey_name- ID of IAM API key.
iam_role_crn- The IAM role that the IAM API key has.
iam_serviceid_crn- The CRN of service ID.
password- The IBM Cloudant legacy credential password.
port- IBM Cloudant service port.
url- IBM Cloudant service URL, including embedded IBM Cloudant legacy credentials.
username- The IBM Cloudant legacy credential username.
Note the included username and password are always equivalent to IAM's Manager credentials. Therefore, the use of Use both legacy credentials and IAM is insecure when used with Reader, Writer,
Monitor, or Checkpointer IAM roles.
Must I use Use only IAM or Use both legacy credentials and IAM?
If possible, Use only IAM is preferred. The major advantages for using IBM Cloud IAM are shown in the following list:
- Management of access to IBM Cloudant with the standard tools of IBM Cloud rather than a combination of IBM Cloud and IBM Cloudant-specific credential management.
- Credentials can be easily revoked and rotated when you use IBM Cloud IAM.
Further description of the advantages and disadvantages of each approach follows.
When you use IAM roles other than Manager, such as Reader, Writer, Monitor, or Checkpointer, you must use Use only IAM to avoid supplying users with legacy
credentials that include greater access permissions.
Advantages and disadvantages of the two access control mechanisms
Overall, IBM Cloud IAM is the recommended authentication model. However, the primary disadvantages to the approach are if you have an existing application or are unable to use an IBM Cloudant-supported client library.
Advantages of IAM mode
- Manage access for many services by using one interface.
- Revoke access to a user globally.
- Account-level API keys that use service IDs.
- Easy-to-rotate credentials.
- Activity Tracker logs capture individual humans and services.
- IAM federates with other identity systems, like enterprise LDAP repositories.
- Fine-grained permissions (for example,
Reader,Writer,Monitor, orCheckpointer).
Disadvantages of IAM mode
- If you are not using the supported libraries from IBM Cloudant, application changes are likely to be required to use IAM's API keys and access tokens.
- No database-level permissions (yet).
- Some endpoints are not available. For more information, see unavailable endpoints.
- No way to specify a database as "public", that is, not requiring an authorized user to access.
Advantages of legacy mode
- No need to change existing applications or client library dependencies.
- Database-level permissions.
Disadvantages of legacy mode
- Separate management of IBM Cloudant credentials, so unable to get full overview of all access within centralized interface.
Create a replication job by using IAM credentials only
Follow these instructions to generate IAM API keys, generate the bearer token, create the _replicator database, and create the replication job.
Generating IAM API keys for Source and Target and one for IBM Cloudant API access
In this exercise, the first two API keys are created so that the two instances can talk to each other during the replication process. The third API key is for the user to access the IBM Cloudant API, create the _replicator database,
and then add the replication document to it.
Follow these steps to generate IAM API keys and API access for IBM Cloudant. You must write down the credentials that are requested in the following steps to continue with the example.
Ensure that you select the specified instance, either the Source or Target.
-
Log in to
cloud.ibm.com. -
From the Resource list, select Services and your Source instance.
-
Click Service credentials and click New credential.
-
Name the new credential
replicator-source, and select the Manager role. -
Click Add, and make note of its
apikey, which is under View Credentials in the Actions column.
-
-
Repeat steps 2 through 2.c. for the Target instance.
-
Create a credential called
replicator-targetwith the Manager role. -
Make note of its IAM API key, which is under View Credentials in the Actions column.
-
-
Select the Source instance, and click Service credentials and New credential.
-
Name the new credential
apiaccess, and select the Manager role. -
Make note of the actual IAM API key under View Credentials in the Actions column.
-
-
Make note of Source and Target instance URLs.
Depending on your workflow, instead of creating a service-level credential (step 4), you can use a personal IAM API key, as detailed in Creating an API key.
You can also complete these steps on the command line by using the IBM Cloud CLI tool chain.
Generating a bearer token to authenticate against the IBM Cloudant API
In step 4.b., you wrote down the apiaccess key. Use that key now:
curl -k -X POST \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "Accept: application/json" \
--data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" \
--data-urlencode "apikey=aSCsx4...2lN97h_2Ts" \
"https://iam.cloud.ibm.com/identity/token"
The apiaccess key returns the following information (abbreviated):
{
"access_token": "eyJraWQiOiIyMDE5MD...tIwkCO9A",
"refresh_token": "ReVbNrHo3UA38...mq67g",
"token_type": "Bearer",
"expires_in": 3600,
"expiration": 1566313064,
"scope": "ibm openid"
}
Create an environment variable to save some typing by using the value under the access_token key in the response data:
export TOK="Bearer eyJraWQiOiIyMDE5MD...tIwkCO9A"
Creating the _replicator database on the Source side
URL is the Source instance URL that you previously wrote down in step 4.b.
curl -k -X PUT \
-H"Content-type: application/json" \
-H'Authorization: '"$TOK"'' \
'https://d43caf1b-e2c8-4d3e-9b85-1d04839fa68f-bluemix.cloudant.com/_replicator'
See the results in the following example:
{"ok": "true"}
Creating the replication job
Create a file called data.json that contains the following information. The two keys are the Source and Target API keys that are created in the beginning, and the Source and Target instance URLs, with database names added.
{
"source": {
"url": "https://d43caf1b-e2c8-4d3e-9b85-1d04839fa68f-bluemix.cloudant.com/source",
"auth": {
"iam": {
"api_key": "xju1...TxuS"
}
}
},
"target": {
"url": "https://dbc68dd8-f69f-4083-97dd-bf0a3e1a467a-bluemix.cloudant.com/target",
"auth": {
"iam": {
"api_key": "UElc7...QIaL01Bjn"
}
}
},
"create_target": true,
"continuous": true
}
Now, write a replication document called source_dest to the _replicator database on the Source instance.
curl -k -X PUT \
-H"Content-type: application/json" \
-H'Authorization: '"$TOK"'' \
'https://d43caf1b-e2c8-4d3e-9b85-1d04839fa68f-bluemix.cloudant.com/_replicator/source_dest' -d@data.json
See the results in the following example:
{"ok":true,"id":"source_dest","rev":"1-89b01e42968acd5944ed657b87c49f0c"}
Removing IBM Cloudant legacy credentials from an instance
IBM Cloud IAM is the recommended authentication model. For security purposes, you can request to remove the IBM Cloudant legacy credentials so that only IAM authentication can be used for the instance. The correct process to remove legacy credentials is shown in the following steps:
-
Ensure that the IBM Cloudant instance has IAM authentication that is enabled. If the instance is deployed in a Cloud Foundry org and space, migrate it to a Resource Group by using the Resource Groups FAQ.
-
Update your application to use IAM authentication instead of IBM Cloudant legacy authentication.
-
Generate new service credentials as needed.
-
Open a new IBM Cloud support case that requests the removal of IBM Cloudant legacy credentials for your instance. Include the username of the instance as shown in the service credentials. For more information, see Locating your service credentials.
-
After support replies that the legacy credentials were removed, any service credentials that were created before removal contain legacy username and password details that no longer work. It is recommended to remove any of these service credential entries.
Making requests to instances by using IAM credentials
Now, the following section describes how to use IBM Cloudant with service instances through IAM authentication. It uses the details from the Service credential JSON examples for each option.
IBM Cloud IAM requires that an IAM API key is exchanged for a time-limited access token before you make a request to a resource or service. The access token is then included in the Authorization HTTP header to the service. When
the access token expires, the consuming application must handle getting a new one from the IAM token service. For more information, see Getting an IBM Cloud IAM token by using an API key documentation for more details.
IBM Cloudant's official client libraries handle obtaining a token from an API key for you. You can access IBM Cloudant directly by using an HTTP client rather than an IBM Cloudant client library. However, you must handle exchanging and refreshing
a time-limited access token by using an IAM API key with the IAM token service. After a token expires, IBM Cloudant returns an HTTP 401 status code.
Required client library versions
IAM connectivity is available in the latest release of all supported client libraries. For more information, see Client libraries.
Java
The following link provides the latest supported version of the IBM Cloudant Java™ library:
For an example that uses IBM Cloudant SDK for Java, see the API and SDK documentation.
Node.js
The following link provides the latest supported version of the IBM Cloudant Node.js library:
For an example that uses IBM Cloudant SDK for Node, see the API and SDK documentation.
Python
The following link provides the latest supported version of the IBM Cloudant Python library:
For an example that uses IBM Cloudant SDK for Python, see the API and SDK documentation.
Go
The following link provides the latest supported version of the IBM Cloudant Go library:
For an example that uses IBM Cloudant SDK for Go, see the API and SDK documentation.
Access by using HTTP client
IBM Cloud IAM requires that an IAM API key is exchanged for a time-limited access token before you make a request to a resource or service. The access token is then included in the Authorization HTTP header to the service. When
the access token expires, the client must handle getting a new one from the IAM token service.
As stated previously, if you use IBM Cloud IAM, it requires that you first exchange an IBM API key for a time-limited access token. After that, you use the token to authenticate against the IBM Cloudant API.
In Python, an example might look like:
import time
import requests
API_KEY = "MxVp86XHkU82Wc97tdvDF8qM8B0Xdit2RqR1mGfVXPWz"
ACCOUNT = "76838001-b883-444d-90d0-46f89e942a15-bluemix"
def get_access_token(api_key):
"""Retrieve an access token from the IAM token service."""
token_response = requests.post(
"https://iam.cloud.ibm.com/identity/token",
data={
"grant_type": "urn:ibm:params:oauth:grant-type:apikey",
"response_type": "cloud_iam",
"apikey": api_key
},
headers={
"Accept": "application/json"
}
)
if token_response.status_code == 200:
print "Got access token from IAM"
return token_response.json()['access_token']
else:
print token_response.status_code, token_response.json()
return None
def main(api_key, account):
access_token = None
while True:
if not access_token:
access_token = get_access_token(api_key)
if access_token:
response = requests.get(
"https://{0}.cloudant.com/_all_dbs".format(account),
headers={
"Accept": "application/json",
"Authorization": "Bearer {0}".format(access_token)
}
)
print "Got Cloudant response, status code", response.status_code
if response.status_code == 401:
print "Token has expired."
access_token = None
time.sleep(1)
if __name__ == "__main__":
main(API_KEY, ACCOUNT)
Using IAM IP allowlisting with Cloudant
You can enable IAM IP address access restrictions when you're using IBM Cloudant.
To enable IAM IP address access restrictions, you must ensure that the Cloud Identity and Access Management (IAM) IP allowlist is configured so that the IBM Cloudant service can still function. IAM is used by IBM Cloudant when authenticating requests to the IBM Cloudant API that pass IAM credentials, and when running replications that are configured to authenticate using IAM API keys.
IAM tokens can be valid for up to 60 minutes. This means that changes to IAM IP allowlisting may not fully take effect until this validation period has expired, as allowlisting is only enforced at token creation time.
Creating a Network Zone
To add IBM Cloudant to your IAM access list, you must first create a Network Zone that includes the IBM Cloudant service.
To create a network zone, complete the following steps.
- In the IBM Cloud console, click Manage > Context-based restrictions, and select Network zones.
- Click Create.
- Enter a unique name (e.g.
cloudant-network) and, optionally, a description. - Under
Reference a service, select service typeIAM Servicesand serviceIBM Cloudant. Click Add to associate theIBM CloudantIP addresses with your network zone. - Click Next to review your network zone.
- Click Create.
Referencing the Network Zone in the IAM IP allowlist
The Network Zone created above, called cloudant-network, can now be used in your IAM IP allowlist.
- In the IBM Cloud console, click Manage > Access (IAM), and select Settings.
- From the Account section, enable the IP address access setting.
- In the
Allowed IP addressesfield, add the name of the Network Zone you created above (e.g.cloudant-network). - Click Save.
Roles and actions
The following tables include a complete list of IBM Cloudant's IAM roles and actions, and a mapping of what actions are allowed for each IAM system role.
IBM Cloudant roles
The following table lists the available IAM service roles for IBM Cloudant and a brief description of each.
| Role | Description |
|---|---|
Manager |
Includes the ability to access all endpoints and perform all administrative functions on an instance, such as creating databases, changing capacity, reading and writing data and indexes, and accessing the Dashboard. |
Writer |
Includes the ability to read and write to all databases and documents, but not able to create indexes. |
Reader |
Includes the ability to read all databases and documents, but not able to write new documents or create indexes. |
Monitor |
Includes the ability to read monitoring endpoints, such as _active_tasks and replication _scheduler endpoints. |
Checkpointer |
Includes the ability to write replication checkpointer _local documents. Required on source databases during replication. |
Manager is inclusive of all actions of Reader and Writer, and Writer is inclusive of all actions of Reader.
IBM Cloudant actions
The following table describes the available IAM actions and roles. For fine-grained authorization, you can use the roles of Manager, Reader, Writer, Monitor, or Checkpointer.
When you use IAM roles other than Manager, such as Reader, Writer, Monitor, or Checkpointer, you must use Use only IAM to avoid supplying users with
legacy credentials that include greater access permissions.
| Method | Endpoint | Action name |
|---|---|---|
GET/PUT |
/_api/v2/db/<path:db>/_security |
cloudantnosqldb.sapi.db-security |
GET |
/_api/v2/user/capacity/throughput |
cloudantnosqldb.capacity-throughput.read |
PUT |
/_api/v2/user/capacity/throughput |
cloudantnosqldb.capacity-throughput.write |
GET |
/_api/v2/user/current/throughput |
cloudantnosqldb.current-throughput.read |
GET |
/_api/v2/user/activity_tracker/events |
cloudantnosqldb.activity-tracker-event-types.read |
POST |
/_api/v2/user/activity_tracker/events |
cloudantnosqldb.activity-tracker-event-types.write |
POST |
/_api/v2/api_keys |
cloudantnosqldb.sapi.apikeys |
GET/POST |
/_api/v2/user/config/cors/ |
cloudantnosqldb.sapi.usercors |
GET/PUT |
/_api/v2/user/plan |
cloudantnosqldb.sapi.userplan |
GET |
/_api/v2/user/ccm_diagnostics |
cloudantnosqldb.sapi.userccmdiagnostics |
GET |
/_api/v2/user/last_activity |
cloudantnosqldb.sapi.lastactivity |
GET |
/_api/v2/support/tickets/$CASEID/files/$ATTACHMENTID |
cloudantnosqldb.sapi.supportattachments |
GET/POST |
/_api/v2/support/tickets |
cloudantnosqldb.sapi.supporttickets |
GET/PUT/DELETE |
/_api/v2/support/tickets/$CASEID |
cloudantnosqldb.sapi.supporttickets |
GET |
/_api/v2/user |
cloudantnosqldb.sapi.userinfo |
GET |
/_api/v2/usage/data_volume and /_api/v2/usage/$YEAR/$MONTH |
cloudantnosqldb.sapi.usage-data-volume |
GET/HEAD |
/ | cloudantnosqldb.account-meta-info.read |
GET/HEAD |
/_active_tasks |
cloudantnosqldb.account-active-tasks.read |
GET/HEAD |
/_replicator |
cloudantnosqldb.replicator-database-info.read |
GET/HEAD |
/_replicator/$DOCUMENT |
cloudantnosqldb.replication.read |
GET/HEAD |
/_scheduler/jobs |
cloudantnosqldb.replication-scheduler.read |
GET/HEAD |
/_scheduler/docs |
cloudantnosqldb.replication-scheduler.read |
POST |
/_replicate |
cloudantnosqldb.replication.write |
PUT/DELETE |
/_replicator |
cloudantnosqldb.replicator-database.create |
PUT/DELETE |
/_replicator/$DOCUMENT |
cloudantnosqldb.replication.write |
GET/HEAD |
/_up |
cloudantnosqldb.account-up.read |
PUT |
/$DATABASE/ |
cloudantnosqldb.database.create |
DELETE |
/$DATABASE |
cloudantnosqldb.database.delete |
POST |
/$DATABASE/_design_docs/queries |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_design/$DOCUMENT_ID/_geo_info |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_design/$DOCUMENT_ID/_info/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_design/$DOCUMENT_ID/_search_disk_size/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_design/$DOCUMENT_ID/_search_info/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_index/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_design_docs |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_design/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_design/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.any-document.read |
PUT |
/$DATABASE/_design/$DOCUMENT_ID |
cloudantnosqldb.design-document.write |
COPY |
/$DATABASE/_design/$DOCUMENT_ID |
cloudantnosqldb.design-document.write |
DELETE |
/$DATABASE/_design/$DOCUMENT_ID |
cloudantnosqldb.design-document.write |
PUT |
/$DATABASE/_design/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.design-document.write |
DELETE |
/$DATABASE/_design/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.design-document.write |
POST/DELETE |
/$DATABASE/_index/$FURTHER_PATH_PARTS |
cloudantnosqldb.design-document.write |
GET/HEAD |
/$DATABASE/_security |
cloudantnosqldb.database-security.read |
PUT |
/$DATABASE/_security |
cloudantnosqldb.database-security.write |
GET/HEAD |
/$DATABASE/_shards |
cloudantnosqldb.database-shards.read |
COPY (Depends on write document type.) |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.any-document.read + cloudantnosqldb.design-document.write either or both cloudantnosqldb.local-document.write either or both cloudantnosqldb.data-document.write |
GET |
/_membership |
cloudantnosqldb.cluster-membership.read |
POST |
/$DATABASE/_ensure_full_commit |
cloudantnosqldb.database-ensure-full-commit.execute |
PUT |
/_users |
cloudantnosqldb.users-database.create |
GET/HEAD |
/_users |
cloudantnosqldb.users-database-info.read |
DELETE |
/_users |
cloudantnosqldb.users-database.delete |
GET/HEAD |
/_users/$DOCUMENT |
cloudantnosqldb.users.read |
GET/POST |
/_users/_all_docs |
cloudantnosqldb.users.read |
GET/POST |
/_users/_changes |
cloudantnosqldb.users.read |
POST |
/_users/_missing_revs |
cloudantnosqldb.users.read |
POST |
/_users/_revs_diff |
cloudantnosqldb.users.read |
POST |
/_users/_bulk_get |
cloudantnosqldb.users.read |
PUT/DELETE |
/_users/$DOCUMENT |
cloudantnosqldb.users.write |
POST |
/_users/_bulk_docs |
cloudantnosqldb.users.write |
POST |
/_users/ |
cloudantnosqldb.users.write |
GET/HEAD |
/_uuids |
cloudantnosqldb.cluster-uuids.execute |
POST |
/$DATABASE/ |
cloudantnosqldb.data-document.write or cloudantnosqldb.design-document.write or cloudantnosqldb.local-document.write |
POST |
/$DATABASE/_bulk_docs |
cloudantnosqldb.data-document.write either or both cloudantnosqldb.design-document.write either or both cloudantnosqldb.local-document.write |
PUT |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.data-document.write |
DELETE |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.data-document.write |
PUT |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.data-document.write |
DELETE |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.data-document.write |
PUT/DELETE |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.local-document.write |
COPY (Depends on write document type.) |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.any-document.read + cloudantnosqldb.design-document.write either or both cloudantnosqldb.local-document.write either or both cloudantnosqldb.data-document.write |
GET/HEAD |
/_iam_session |
cloudantnosqldb.iam-session.read |
POST |
/_iam_session |
cloudantnosqldb.iam-session.write |
DELETE |
/_iam_session |
cloudantnosqldb.iam-session.delete |
GET/HEAD |
/_session |
cloudantnosqldb.session.read |
POST |
/_session |
cloudantnosqldb.session.write |
DELETE |
/_session |
cloudantnosqldb.session.delete |
GET/HEAD |
/_all_dbs |
cloudantnosqldb.account-all-dbs.read |
POST |
/_dbs_info |
cloudantnosqldb.account-dbs-info.read |
GET |
/$DATABASE/ |
cloudantnosqldb.database-info.read |
GET/POST |
/$DATABASE/_all_docs |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_changes |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_bulk_get |
cloudantnosqldb.any-document.read |
GET/POST |
/_search_analyze |
cloudantnosqldb.account-search-analyze.execute |
POST |
/$DATABASE/_all_docs/queries |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_design/$DOCUMENT_ID/_geo/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_design/$DOCUMENT_ID/_search/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_design/$DOCUMENT_ID/_view/$VIEW/queries |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_design/$DOCUMENT_ID/_view/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_explain/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_find/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_missing_revs |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_revs_diff |
cloudantnosqldb.any-document.read |
| Method | Endpoint | Action name |
|---|---|---|
GET |
/_api/v2/user/activity_tracker/events |
cloudantnosqldb.activity-tracker-event-types.read |
GET/HEAD |
/_uuids |
cloudantnosqldb.cluster-uuids.execute |
POST |
/$DATABASE/ |
cloudantnosqldb.data-document.write or cloudantnosqldb.design-document.write or cloudantnosqldb.local-document.write |
POST |
/$DATABASE/_bulk_docs |
cloudantnosqldb.data-document.write either or both cloudantnosqldb.design-document.write either or both cloudantnosqldb.local-document.write |
PUT |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.data-document.write |
DELETE |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.data-document.write |
PUT |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.data-document.write |
DELETE |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.data-document.write |
PUT/DELETE |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.local-document.write |
GET/HEAD |
/_iam_session |
cloudantnosqldb.iam-session.read |
POST |
/_iam_session |
cloudantnosqldb.iam-session.write |
DELETE |
/_iam_session |
cloudantnosqldb.iam-session.delete |
GET/HEAD |
/_session |
cloudantnosqldb.session.read |
POST |
/_session |
cloudantnosqldb.session.write |
DELETE |
/_session |
cloudantnosqldb.session.delete |
GET/HEAD |
/_all_dbs |
cloudantnosqldb.account-all-dbs.read |
POST |
/_dbs_info |
cloudantnosqldb.account-dbs-info.read |
GET |
/$DATABASE/ |
cloudantnosqldb.database-info.read |
GET/POST |
/$DATABASE/_all_docs |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_changes |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_bulk_get |
cloudantnosqldb.any-document.read |
GET/POST |
/_search_analyze |
cloudantnosqldb.account-search-analyze.execute |
POST |
/$DATABASE/_all_docs/queries |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_design/$DOCUMENT_ID/_geo/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_design/$DOCUMENT_ID/_search/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_design/$DOCUMENT_ID/_view/$VIEW/queries |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_design/$DOCUMENT_ID/_view/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_explain/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_find/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_missing_revs |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_revs_diff |
cloudantnosqldb.any-document.read |
GET/HEAD |
/ | cloudantnosqldb.account-meta-info.read |
POST |
/$DATABASE/_ensure_full_commit |
cloudantnosqldb.database-ensure-full-commit.execute |
| Method | Endpoint | Action name |
|---|---|---|
GET |
/_api/v2/user/activity_tracker/events |
cloudantnosqldb.activity-tracker-event-types.read |
GET/HEAD |
/_iam_session |
cloudantnosqldb.iam-session.read |
POST |
/_iam_session |
cloudantnosqldb.iam-session.write |
DELETE |
/_iam_session |
cloudantnosqldb.iam-session.delete |
GET/HEAD |
/_session |
cloudantnosqldb.session.read |
POST |
/_session |
cloudantnosqldb.session.write |
DELETE |
/_session |
cloudantnosqldb.session.delete |
GET/HEAD |
/_all_dbs |
cloudantnosqldb.account-all-dbs.read |
POST |
/_dbs_info |
cloudantnosqldb.account-dbs-info.read |
GET |
/$DATABASE/ |
cloudantnosqldb.database-info.read |
GET/POST |
/$DATABASE/_all_docs |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_changes |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/$DOCUMENT_ID/$ATTACHMENT |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_bulk_get |
cloudantnosqldb.any-document.read |
GET/POST |
/_search_analyze |
cloudantnosqldb.account-search-analyze.execute |
POST |
/$DATABASE/_all_docs/queries |
cloudantnosqldb.any-document.read |
GET/HEAD |
/$DATABASE/_design/$DOCUMENT_ID/_geo/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_design/$DOCUMENT_ID/_search/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_design/$DOCUMENT_ID/_view/$VIEW/queries |
cloudantnosqldb.any-document.read |
GET/POST |
/$DATABASE/_design/$DOCUMENT_ID/_view/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_explain/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_find/$FURTHER_PATH_PARTS |
cloudantnosqldb.any-document.read |
GET |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_missing_revs |
cloudantnosqldb.any-document.read |
POST |
/$DATABASE/_revs_diff |
cloudantnosqldb.any-document.read |
GET/HEAD |
/ | cloudantnosqldb.account-meta-info.read |
| Method | Endpoint | Action name |
|---|---|---|
GET |
/_api/v2/usage/data_volume and /_api/v2/usage/$YEAR/$MONTH |
cloudantnosqldb.sapi.usage-data-volume |
GET |
/_api/v2/user/capacity/throughput |
cloudantnosqldb.capacity-throughput.read |
GET |
/_api/v2/user/current/throughput |
cloudantnosqldb.current-throughput.read |
GET/HEAD |
/ | cloudantnosqldb.account-meta-info.read |
GET/HEAD |
/_active_tasks |
cloudantnosqldb.account-active-tasks.read |
GET/HEAD |
/_scheduler/jobs |
cloudantnosqldb.replication-scheduler.read |
GET/HEAD |
/_scheduler/docs |
cloudantnosqldb.replication-scheduler.read |
GET/HEAD |
/_up |
cloudantnosqldb.account-up.read |
GET/HEAD |
/$DATABASE/_shards |
cloudantnosqldb.database-shards.read |
PUT/DELETE |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.local-document.write |
POST |
/_dbs_info |
cloudantnosqldb.account-dbs-info.read |
GET |
/$DATABASE/ |
cloudantnosqldb.database-info.read |
| Method | Endpoint | Action name |
|---|---|---|
PUT/DELETE |
/$DATABASE/_local/$DOCUMENT_ID |
cloudantnosqldb.local-document.write |
Troubleshooting
If you can't use IAM to authenticate when you make requests to your IBM Cloudant service instance, verify your account as shown in the next section.
Ensure that your account is IAM enabled
On the Overview portion of the IBM Cloudant Dashboard, "authentication method" is listed under deployment details. Your available authentication methods are listed there.