Managing access to resources
To manage access for users or service IDs by using IAM policies, you must be the account owner or have the correct access assigned. To assign user's access to resources you must be an administrator on all services in the account, or the assigned administrator for the particular service or service instance. To assign access to a service ID, you must be administrator on the identity service or the specific service ID.
Assigning access to resources
You can assign access to resources by using two types of policies:
- Access to resources in the account, including the option for just one type or all types
- Access to resources within a resource group, including the option for just one resource or all resources
If you delete or edit an existing policy for a service ID that's currently being used, it might cause service interruption.
If you want to enable a user full administrator access to complete account management tasks, such as inviting and removing users, viewing billing and usage, managing service IDs, managing access groups, managing user access, and access to all IAM-enabled resources, you must assign a user the following access:
- A policy for Identity and Access enabled services with the Administrator and Manager roles.
- A policy with the Administrator role on All Account Management services.
You can also set access management tags to manage access. For more information, see Controlling access to resources by using tags.
Users with the Administrator role for account management services can change the access of other users and remove users from the resource, including other users with the administrator role.
Assigning access to resources in the console
To assign access to an individual resource in the account or access to all resources in the account, complete the following steps:
- In the IBM Cloud console, click Manage > Access (IAM), and select Users or Manage > Access (IAM), and select Service IDs, depending on which identity you want to assign access.
- Click the Actions icon > Assign access for the user or service ID that you want to assign access.
- Select a group of services or a single service. Then, click Next.
- Scope the access to the all resources in the account, or select specific resources based on attributes.
- Click Next.
- Select any combination of roles to assign, and click Review.
- Click Add to add your policy configuration to your policy summary.
- (Optional) Add users or service IDs to Access groups.
- Select the access groups that you want the user or service ID to belong to.
- Click Add
- Click Assign.
If a user doesn't have a role on the resource group that contains the resources, they can see the resources, but can't access the resources by going to the Resource list page in the account to start working with them. Assign the Viewer role or higher on the resource group itself to ensure that a user can access the resource.
Increased policy limits for service IDs are available for select accounts. To take advantage of the increased policy limits, assign access to Event Streams or IBM Cloud Object Storage services. You must also scope the access policies to a specific service instance, resource type, and resource ID.
Assigning access within a resource group in the console
To assign access to all resources in a resource group or to just one service within a resource group, complete the following steps:
- In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
- Click the user or service ID that you want to assign access, then click Access > Assign access.
- Select a group of services or a single service. Then, click Next.
- Scope the access to Specific resources. Select the Resource group attribute type and enter a resource group.
- Click Next.
- Select the access roles to manage the resource group. Then, click Next.
- Select any combination of roles to assign, and click Review.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
Assigning access to manage a resource group
You can assign access to view or manage a resource group without assigning service access.
As an administrator, you might want to create an access group with the Viewer role on all resource groups. This way, when you assign access to service resources you don’t have to create additional policies for viewing resource groups. The Viewer role on a resource group is required for a user to create a service instance in that resource group.
To assign access to a resource group without assigning service access, complete the following steps:
- In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
- Click the user or service ID that you want to assign access, then click Access > Assign access.
- Select Resource group only.
- Select Add a condition.
- Select the Resource group attribute type and enter a resource group.
- Click Next.
- Select the access roles for viewing or managing the resource group. Then, click Review.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
You can repeat this type of policy as needed for each available resource group in the account to assign access to manage all resource groups in the account.
Assigning access to resources by using the CLI
-
Log in to IBM Cloud® CLI. If you have multiple accounts, you are prompted to select which account to use. If you do not specify a region with the
-r
flag, you must also select a region.ibmcloud login
If your credentials are rejected, you might be using a federated ID. To log in with a federated ID, use the
--sso
flag. See Logging in with a federated ID for more details.If it's your first time using the IBM Cloud CLI, check out the getting started tutorial.
-
Create an access policy and assign it to a user or a service ID by using the command
ibmcloud iam user-policy-create
.- This example assigns access to an individual resource in the account with the
Administrator
role for all instances ofsample-service
service:
ibmcloud iam user-policy-create name@example.com --roles Administrator --service-name sample-service
- This example assigns access to All Account Management services with the
Administrator
role:
ibmcloud iam service-policy-create name@example.com --roles Administrator --account-management
- This example assigns access to All Identity and Access enabled services with the
Administrator
role:
ibmcloud iam service-policy-create name@example.com --roles Administrator --attributes serviceType=service
- This example assigns access to All IAM Account Management services with the
Administrator
role:
ibmcloud iam service-policy-create name@example.com --roles Administrator --attributes service_group_id=IAM
Increased policy limits for service IDs are available for select accounts. To take advantage of the increased policy limits, assign access to Event Streams or IBM Cloud Object Storage services. You must also scope the access policies to a specific service instance, resource type, and resource ID.
- This example assigns access to Object Storage with the
Manager
role. It scopes the access to a specific service instance, resource type, and resource ID:
ibmcloud iam service-policy-create SERVICE_ID service-name cloud-object-storage --service-instance SERVICE_INSTANCE_GUID --resource-type RESOURCE_TYPE --resource RESOURCE --roles Manager
- This example assigns access to an individual resource in the account with the
Assigning access within a resource group by using the CLI
Enter the ibmcloud user-policy-create
command to assign access to all resources in a resource group or to just one service
within a resource group. This example gives name@example.com
Operator
role for resource group with ID dda27e49d2a1efca58083a01dfde18f6
:
ibmcloud iam user-policy-create name@example.com --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6
Enter the ibmcloud iam service-policy-create
command to assign access to all resources in a resource group or to just
one service within a resource group. This example gives service test
Administrator
role for resource group called sample-resource-group
:
ibmcloud iam service-policy-create test --roles Administrator --resource-group-name sample-resource-group
Assigning access to manage a resource group by using the CLI
You can assign access to view or manage a resource group without assigning service access.
As an administrator, you might want to create an access group with the Viewer role on all resource groups. This way, when you assign access to service resources you don’t have to create additional policies for viewing resource groups. The Viewer role on a resource group is required for a user to create a service instance in that resource group.
The following example creates a policy for Viewer of a specific resource group:
iam user-policy-create name@example.com --roles Viewer --resource-type resource-group --resource fec6c95e6a0a44c5bcca138bfe5a1f9e
The following example creates a policy for Viewer of all resource groups in the account.
iam user-policy-create name@example.com --roles Viewer --resource-type resource-group
The following example creates a policy for Viewer of all resources in a resource group
iam user-policy-create name@example.com --roles Viewer --resource-group-name satellite-test
Assigning access to resources by using the API
You can assign access to an individual resource in the account or access to a list of resources in the account by calling the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request. The sample request gives Administrator
role access for an instance of a service:
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Administrator role for SERVICE_NAME's RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}'
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value("EXAMPLE_USER_ID")
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Administrator")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceName")
.value("service")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: 'exampleUserId',
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceName',
value: 'service',
operator: 'stringEquals',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value='example_user_id')])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceName', value='service')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: core.StringPtr("exampleUserID"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceName"),
Value: core.StringPtr("service"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute}
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))
You can assign access to a group of services. To assign access to All Identity and Access enabled services, specify serviceType
for the name
attribute, and use the value
service
.
To assign access to All Account Management services, specify serviceType
for the name
attribute, and use the value
platform_service
. To assign access to the subset of account
management services All IAM Account Management services, specify service_group_id
for the name
attribute, and use the value
IAM
.
Increased policy limits for service IDs are available for select accounts. To take advantage of the increased policy limits, assign access to Event Streams or IBM Cloud Object Storage services. You must also scope the access policies to a specific service instance, resource type, and resource ID.
The following sample request gives a service ID Reader
role access to an instance of Object Storage. It scopes the access to a specific service instance, resource type, and resource ID:
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Reader role for SERVICE_NAME's RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "$SERVICE_ID"
}
]
}'
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "cloud-object-storage"
},,
{
"name": "serviceInstance",
"value": "$INSTANCE_ID",
"operator": "stringEquals"
}
{
"name": "resourceType",
"value": "$RESOURCE_TYPE",
"operator": "stringEquals"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'
Assigning access within a resource group by using the API
This action can be done only through the UI or CLI. To see the steps, switch to the UI or CLI instructions.
Before you begin
Before you can assign access to resources by using Terraform, ensure that you've completed the following:
- Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
- Create a Terraform configuration file that is named
main.tf
. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.
Assigning access to resources by using Terraform
To assign access to resources by using Terraform, use the following steps:
-
Assign access to resources by using the
ibm_iam_user_policy
resource argument in yourmain.tf
file.The following example gives
test@in.ibm.com
Viewer
role for all instances ofkms
service by using ibm_iam_user_policy.resource "ibm_iam_user_policy" "policy" { ibm_id = "test@in.ibm.com" roles = ["Viewer"] resources { service = "kms" } }
Increased policy limits for service IDs are available for select accounts. To take advantage of the increased policy limits, assign access to Event Streams or IBM Cloud Object Storage services. You must also scope the access policies to a specific service instance, resource type, and resource ID.
The following example gives a service ID the
Reader
role access to an instance of Object Storage by using ibm_iam_user_policy. It scopes the access to a specific service instance, resource type, and resource ID:resource "ibm_iam_service_policy" "policy" { iam_service_id = "$SERVICE_ID" roles = ["Reader"] resources { service = "cloud_object_storage" resource_instance_id = "$SERVICE_INSTANCE_ID" resource_type = "$RESOURCE_TYPE" resource = "$RESOURCE" } }
You can specify the name of the service for which you want to assign access to on the
service
option. For more information, see the argument reference details on the Terraform Identity and Access Management (IAM) page. -
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
terraform init
-
Provision the resources from the
main.tf
file. For more information, see Provisioning Infrastructure with Terraform.-
Run
terraform plan
to generate a Terraform execution plan to preview the proposed actions.terraform plan
-
Run
terraform apply
to create the resources that are defined in the plan.terraform apply
-
Assigning access within a resource group by using Terraform
To assign access within a resource group by using Terraform, use the following steps.
-
Assign access within a resource group by using the
ibm_iam_user_policy
resource in yourmain.tf
file.The following example gives
test@in.ibm.com
Viewer
role for resource group with IDdata.ibm_resource_group.group.id
by using ibm_iam_user_policy.data "ibm_resource_group" "group" { name = "default" } resource "ibm_iam_user_policy" "policy" { ibm_id = "test@in.ibm.com" roles = ["Viewer"] resources { service = "containers-kubernetes" resource_group_id = data.ibm_resource_group.group.id } }
You can specify the ID of the resource group that you want to assign access to on the
resource_group_id
option. For more information, see the argument reference details on the Terraform Identity and Access Management (IAM) page. -
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
terraform init
-
Provision the resources from the
main.tf
file. For more information, see Provisioning Infrastructure with Terraform.-
Run
terraform plan
to generate a Terraform execution plan to preview the proposed actions.terraform plan
-
Run
terraform apply
to create the resources that are defined in the plan.terraform apply
-
Removing access in the console
Removing access for a user or service ID can take up to 10 minutes to take effect.
- In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to manage.
- Select the user's name or service ID that you want to remove access for.
- From the Access tab, click the Actions icon > Remove on the row for the policy you want to remove.
- Review the policy details that you're about to remove, and confirm by clicking Remove.
You can also remove users and service IDs from access groups by selecting the checkbox for the user or service ID that you want to remove, and click Remove. Then, click Remove again to approve the process.
Removing access by using the CLI
To remove a user policy by using the CLI, you can use the ibmcloud iam user-policy-delete
command.
ibmcloud iam user-policy-delete USER_ID POLICY_ID [-f, --force]
To remove a service ID policy by using the CLI, you can use the ibmcloud iam service-policy-delete
command.
ibmcloud iam service-policy-delete SERVICE_ID POLICY_ID [-f, --force]
Removing access by using the API
Delete a policy by providing a policy ID and calling the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request:
curl -X DELETE 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json'
DeletePolicyOptions options = new DeletePolicyOptions.Builder()
.policyId(examplePolicyId)
.build();
service.deletePolicy(options).execute();
const params = {
policyId: examplePolicyId,
};
iamPolicyManagementService.deletePolicy(params)
.then(res => {
console.log(JSON.stringify(res, null, 2));
})
.catch(err => {
console.warn(err)
});
response = iam_policy_management_service.delete_policy(
policy_id=example_policy_id
).get_result()
print(json.dumps(response, indent=2))
options := iamPolicyManagementService.NewDeletePolicyOptions(
examplePolicyID,
)
response, err := iamPolicyManagementService.DeletePolicy(options)
if err != nil {
panic(err)
}
A policy cannot be deleted if the subject ID contains a locked service ID.
Reviewing assigned access in the console
If you need to review your assigned access in an account that you've been added to, complete the following steps:
- In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to review.
- Select your name or the service ID.
- Review the assigned access in the Access tab.
If you need more access, you must contact the account owner to update your access or contact the administrator for the service or service instance to update the access policy.
Reviewing assigned access by using the CLI
If you need to review your assigned access in an account that you've been added to, you can use the ibmcloud iam user-policies
command.
This example lists policies of user name@example.com
:
ibmcloud iam user-policies name@example.com
Reviewing assigned access by using the API
By using the API, you can only retrieve all policies in the account and filter by attribute values. You can check your assigned access in an account by going to Manage > Users > your_name > Access in the IBM Cloud console. To retrieve policies, call the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request:
curl -X GET 'https://iam.cloud.ibm.com/v1/policies?account_id=$ACCOUNT_ID' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json'
ListPoliciesOptions options = new ListPoliciesOptions.Builder()
.accountId(exampleAccountId)
.iamId(EXAMPLE_USER_ID)
.build();
Response<PolicyList> response = service.listPolicies(options).execute();
PolicyList policyList = response.getResult();
System.out.println(policyList);
const params = {
accountId: exampleAccountId,
iamId: exampleUserId
};
iamPolicyManagementService.listPolicies(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
policy_list = iam_policy_management_service.list_policies(
account_id=example_account_id, iam_id=example_user_id
).get_result()
print(json.dumps(policy_list, indent=2))
options := iamPolicyManagementService.NewListPoliciesOptions(
exampleAccountID,
)
options.SetIamID(exampleUserID)
policyList, response, err := iamPolicyManagementService.ListPolicies(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policyList, "", " ")
fmt.Println(string(b))