IBM Cloud Docs
Managing IAM access, API keys, trusted profiles, service IDs, and access groups (ibmcloud iam)

Managing IAM access, API keys, trusted profiles, service IDs, and access groups (ibmcloud iam)

Use the following commands from the IBM Cloud® Command Line Interface to manage API keys, service IDs, access groups, and authorization policies for users, services, trusted profiles, and access groups.

ibmcloud iam service-ids

List all service IDs:

ibmcloud iam service-ids [--uuid]

Command options

--uuid
Show UUID of service IDs only.

Examples

List UUID of all service IDs under current account:

ibmcloud iam service-ids --uuid

ibmcloud iam service-id

Display details of a service ID:

ibmcloud iam service-id (NAME|UUID) [--uuid]

Command options

NAME (required)
Name of the service, exclusive with UUID.
UUID (required)
UUID of the service, exclusive with NAME.
--uuid
Display the UUID of the service ID.

Examples

Show details of service ID sample-test:

ibmcloud iam service-id sample-test

Show details of service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id-create

Create a service ID:

ibmcloud iam service-id-create NAME [-d, --description DESCRIPTION] [--lock]

Command options

NAME (required)
Name of the service.
-d, --description
Description of the service ID.
--lock
Lock the service ID during creation.

Examples

Create a service ID with service name sample-test and description hello, world!:

ibmcloud iam service-id-create sample-test -d 'hello, world!'

Create a locked service ID with service name sample-test and description hello, world!:

ibmcloud iam service-id-create sample-test -d 'hello, world!' --lock

ibmcloud iam service-id-update

Update a service ID:

ibmcloud iam service-id-update (NAME|UUID) [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

Command options

NAME (required)
Name of the service, exclusive with UUID.
UUID (required)
UUID of the service, exclusive with NAME.
-n, --name
New name of the service.
-d, --description
New description of the service.
-f, --force
Update without confirmation.

Examples

Rename service ID sample-test to sample-test-2 without confirmation:

ibmcloud iam service-id-update sample-test -n sample-test-2 -f

Update description of the service sample-test:

ibmcloud iam service-id-update sample-test -d 'hello, friend!'

Rename service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 to sample-test-3 with new description:

ibmcloud iam service-id-update ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 -n sample-test-3 -d 'hello, my friends!'

ibmcloud iam service-id-delete

Delete a service ID:

ibmcloud iam service-id-delete (NAME|UUID) [-f, --force]

Command options

NAME (required)
Name of the service, exclusive with UUID.
UUID (required)
UUID of the service, exclusive with NAME.
-f, --force
Delete without confirmation.

Examples

Delete service ID sample-teset without confirmation:

ibmcloud iam service-id-delete sample-teset -f

Delete service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id-delete ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id-lock

Lock a service ID:

ibmcloud iam service-id-lock (NAME|UUID) [-f, --force]

Command options

NAME (required)
Name of the service, exclusive with UUID.
UUID (required)
UUID of the service, exclusive with NAME.
-f, --force
Lock without confirmation.

Examples

Lock service ID sample-teset without confirmation:

ibmcloud iam service-id-lock sample-teset -f

Lock service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id-lock ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id-unlock

Unlock a service ID:

ibmcloud iam service-id-unlock (NAME|UUID) [-f, --force]

Command options

NAME (required)
Name of the service, exclusive with UUID.
UUID (required)
UUID of the service, exclusive with NAME.
-f, --force
Unlock without confirmation.

Examples

Unlock service ID sample-teset without confirmation:

ibmcloud iam service-id-unlock sample-teset -f

Unlock service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-id-unlock ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam api-keys

List all IBM Cloud platform API keys:

ibmcloud iam api-keys [--uuid]

Command options

--uuid
Show the UUID of the API key.

ibmcloud iam api-key-create

Create an IBM Cloud platform API key:

ibmcloud iam api-key-create NAME [-d DESCRIPTION] [--file FILE] [--lock]

Using the IBM Cloud CLI login with an API Key does not work with the legacy SL API Key that is found on control.softlayer.com option. An upgraded IBM Cloud Account where Infrastructure is managed through cloud.ibm.com is required for the IBM Cloud CLI login with an API Key.

Command options

NAME (required)
Name of the API key to be created.
-d DESCRIPTION (optional)
Description of the API key.
--file FILE
Save API key information to the specified file.
--action-if-leaked value
The action to take if the key is leaked, can be "NONE", "DISABLE", or "DELETE". The default is "Disable".
--lock
Lock the API key when it is created.

Examples

Create an API key and save it to a file:

ibmcloud iam api-key-create MyKey -d "this is my API key" --file key_file

Create a locked API key with name "test-key":

ibmcloud iam api-key-create test-key --lock

ibmcloud iam api-key-update

Update a IBM Cloud platform API key:

ibmcloud iam api-key-update (NAME|UUID) [-n name] [-d description]

Command options

NAME (required)
The old name of the API key to be updated, exclusive with UUID.
UUID (required)
The UUID of the API key to be updated, exclusive with NAME.
-n NAME (optional)
The new name of the API key.
-d DESCRIPTION (optional)
The new description of the API key.
--action-if-leaked value
The action to take if the key is leaked, can be "NONE", "DISABLE", or "DELETE". The default is "Disable"

Examples

Update the description of an API key:

ibmcloud iam api-key-update MyKey -d "the new description of my key"

The iam-identity.apikey.manage privilege is required for the account when the NAME and UUID command options are used. For more information, see Managing user API keys and IAM Identity Service.

ibmcloud iam api-key-delete

Delete a IBM Cloud platform API key:

ibmcloud iam api-key-delete (NAME|UUID) [-f, --force]

Command options

NAME (required)
Name of the API key to be deleted, exclusive with UUID.
UUID (required)
UUID of the API key to be deleted, exclusive with NAME.
-f, --force
Force deletion without confirmation.

ibmcloud iam api-key-lock

Lock a platform API key:

ibmcloud iam api-key-lock (NAME|UUID) [-f, --force]

Command options

NAME (required)
The name of the API key to be locked, exclusive with UUID.
UUID (required)
UUID of the API key to be locked, exclusive with NAME.
-f, --force
Force lock without confirmation.

Examples

Lock API key test-api-key:

ibmcloud iam api-key-lock test-api-key

Lock API key with given UUID without confirmation:

ibmcloud iam api-key-lock ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

ibmcloud iam api-key-unlock

Unlock a platform API key:

ibmcloud iam api-key-unlock (NAME|UUID) [-f, --force]

Command options

NAME (required)
The name of the API key to be unlocked, exclusive with UUID.
UUID (required)
The UUID of the API key to be unlocked, exclusive with NAME.
-f, --force
Unlock an API key without confirmation.

Examples

Unlock API key test-api-key:

ibmcloud iam api-key-unlock test-api-key

Unlock API key with given UUID without confirmation:

ibmcloud iam api-key-unlock ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

ibmcloud iam api-key-disable

Disable a platform API key:

ibmcloud iam api-key-disable (NAME|UUID) [-f, --force]

Command options

NAME (required)
The name of the API key to be disabled, exclusive with UUID.
UUID (required)
The UUID of the API key to be disabled, exclusive with NAME.
-f, --force
Force disable without confirmation.

Examples

Disable an API key test-api-key:

ibmcloud iam api-key-disable test-api-key

Disable an API key with given UUID without confirmation:

ibmcloud iam api-key-disable ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

ibmcloud iam api-key-enable

Enable a platform API key:

ibmcloud iam api-key-enable (NAME|UUID) [-f, --force]

Command options

NAME (required)
The name of the API key to be enabled, exclusive with UUID.
UUID (required)
The UUID of the API key to be enabled, exclusive with NAME.
-f, --force
Force enable without confirmation.

Examples

Enable API key test-api-key:

ibmcloud iam api-key-enable test-api-key

Enable API key with given UUID without confirmation:

ibmcloud iam api-key-enable ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

ibmcloud iam service-api-keys

List all API keys of a service:

ibmcloud iam service-api-keys ([-a, --all], SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Command options

-a, --all
Display all API keys that are associated with all services.
SERVICE_ID_NAME (required)
The name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
The UUID of the service ID, exclusive with SERVICE_ID_NAME.
-f, --force
Display service API keys without confirmation.

Examples

List all API keys of the service sample-service:

ibmcloud iam service-api-keys sample-service

ibmcloud iam service-api-key

List details of a service API key:

ibmcloud iam service-api-key (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [--uuid] [-f, --force]

Command options

APIKEY_NAME (required)
Name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
Name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
UUID of the service ID, exclusive with SERVICE_ID_NAME.
--uuid
Display the UUID of the service API key.
-f, --force
Display service API key without confirmation.

Examples

Show details of service API key sample-key of service sample-service:

ibmcloud iam service-api-key sample-key sample-service

ibmcloud iam service-api-key-create

Create a service API key:

ibmcloud iam service-api-key-create NAME (SERVICE_ID_NAME|SERVICE_ID_UUID) [-d, --description DESCRIPTION] [--file FILE] [-f, --force] [--lock]

Command options

NAME (required)
Name of the service ID or newly created service API key.
SERVICE_ID_NAME (required)
Name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
UUID of the service ID, exclusive with SERVICE_ID_NAME.
-d, --description
Description of the API key.
--file FILE
Save API key information to the specified file.
--action-if-leaked value
The action to take if the key is leaked. The options are "NONE", "DISABLE", or "DELETE". The default option is "Disable".
-f, --force
Force creation without confirmation.

Examples

Create a service API key sample-key for service sample-service without confirmation:

ibmcloud iam service-api-key-create sample-key sample-service -f

ibmcloud iam service-api-key-update

Update a service API key:

ibmcloud iam service-api-key-update (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID)  [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

Command options

APIKEY_NAME (required)
Name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
Name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
UUID of the service ID, exclusive with SERVICE_ID_NAME.
-n, --name
The new name of the service API key.
-d, --description
The new description of the service API key.
--action-if-leaked value
The action to take if the key is leaked, can be "NONE", "DISABLE", or "DELETE". The default is "Disable".
-f, --force
Update without confirmation.

Examples

Rename the service API key sample-key to new-sample-key:

ibmcloud iam service-api-key-update sample-key sample-service -n new-sample-key

ibmcloud iam service-api-key-delete

Delete a service API key:

ibmcloud iam service-api-key-delete (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Command options

APIKEY_NAME (required)
Name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
Name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
UUID of the service ID, exclusive with SERVICE_ID_NAME.
-f, --force
Delete without confirmation.

Examples

Delete service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-delete sample-key sample-service

ibmcloud iam service-api-key-lock

Lock a service API key:

ibmcloud iam service-api-key-lock (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Command options

APIKEY_NAME (required)
Name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
Name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
UUID of the service ID, exclusive with SERVICE_ID_NAME.
-f, --force
Lock without confirmation.

Examples

Lock service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-lock sample-key sample-service

ibmcloud iam service-api-key-unlock

Unlock a service API key:

ibmcloud iam service-api-key-unlock (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Command options

APIKEY_NAME (required)
Name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
Name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
UUID of the service ID, exclusive with SERVICE_ID_NAME.
-f, --force
Unlock without confirmation.

Examples

Unlock service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-unlock sample-key sample-service

ibmcloud iam service-api-key-disable

Disable a service API key:

ibmcloud iam service-api-key-disable (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Command options

APIKEY_NAME (required)
The name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
The UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
The name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
The UUID of the service ID, exclusive with SERVICE_ID_NAME.
-f, --force
Disable without confirmation.

Examples

Disable service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-disable sample-key sample-service

ibmcloud iam service-api-key-enable

Enable a service API key:

ibmcloud iam service-api-key-enable (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Command options

APIKEY_NAME (required)
The name of the API key, exclusive with APIKEY_UUID.
APIKEY_UUID (required)
The UUID of the API key, exclusive with APIKEY_NAME.
SERVICE_ID_NAME (required)
The name of the service ID, exclusive with SERVICE_ID_UUID.
SERVICE_ID_UUID (required)
The UUID of the service ID, exclusive with SERVICE_ID_NAME.
-f, --force
Enable without confirmation.

Examples

Enable service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-enable sample-key sample-service

ibmcloud iam user-policies

List all access policies for a specified user:

ibmcloud iam user-policies USER_NAME

Command options

USER_NAME (required)
User name to whom the policies belong.

Examples

List policies of user name@example.com:

ibmcloud iam user-policies name@example.com

ibmcloud iam user-policy

Display details of an access policy for a user:

ibmcloud iam user-policy USER_NAME POLICY_ID [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

USER_NAME (required)
User name to whom the policy belongs.
POLICY_ID (required)
ID of the policy.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

List policy 0bb730daa of user name@example.com:

ibmcloud iam user-policy name@example.com 0bb730daa

ibmcloud iam user-policy-create

Create an access policy for the specified user in the current account:

ibmcloud iam user-policy-create USER_NAME {--file JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

USER_NAME (required)
Username to whom the policy belongs.
--file FILE (optional)
JSON file of policy definition. You can use advanced operators in a JSON policy document to grant access to resources that satisfy specific naming conventions. For more information about using advanced operators to create wildcard policies, see Assigning access by using wildcard policies.
--roles ROLE_NAME1,ROLE_NAME2... (optional)
Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file option.
--service-name SERVICE_NAME (optional)
Service name of the policy definition. This option is exclusive with the --file option.
--service-instance SERVICE_INSTANCE_GUID (optional)
GUID of service instance of the policy definition. This option is exclusive with the --file option.
--region REGION (optional)
Region of the policy definition. This option is exclusive with the --file option.
--resource-type RESOURCE_TYPE (optional)
Resource type of the policy definition. This option is exclusive with the --file option.
--resource RESOURCE (optional)
Resource of the policy definition. This option is exclusive with the --file option.
--resource-group-name RESOURCE_GROUP_NAME (optional)
Name of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-id options.
--resource-group-id RESOURCE_GROUP_ID (optional)
ID of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-name options.
--account-management (optional)
Give access to all account management services.
--attributes name=value,name=value...
Set resource attributes in the form of name=value,name=value....
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Create user policy for user name@example.com from policy JSON file policy.json:

ibmcloud iam user-policy-create name@example.com --file @policy.json

Give name@example.com Administrator role for all instances of sample-service service:

ibmcloud iam user-policy-create name@example.com --roles Administrator --service-name sample-service

Give name@example.com Editor role and a custom role Responder for all instances of sample-service service:

ibmcloud iam user-policy-create name@example.com --roles Editor,Responder --service-name sample-service

Give name@example.com Editor role for resource key123 of sample service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam user-policy-create name@example.com --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Give name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Give name@example.com Viewer role for the members of the resource group sample-resource-group:

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-group-name sample-resource-group

Give name@example.com Viewer role for the members of the resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Give name@example.com Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam user-policy-create name@example.com --roles Viewer --service-name is --attributes "instanceId=*"

ibmcloud iam user-policy-update

Update an access policy for the specified user in the current account:

ibmcloud iam user-policy-update USER_NAME POLICY_ID {--file JSON_FILE | [--roles ROLE_NAME1,ROLE_NAME2...] [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

USER_NAME (required)
Username to whom the policy belongs.
POLICY_ID (required)
ID of the policy to update. --file FILE (optional)
JSON file of policy definition.
--roles ROLE_NAME1,ROLE_NAME2... (Optional)
Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME option. This option is exclusive with the --file option.
--service-name SERVICE_NAME (optional)
Service name of the policy definition. This option is exclusive with the --file option.
--service-instance SERVICE_INSTANCE_GUID (optional)
GUID of service instance of the policy definition. This option is exclusive with the --file option.
--region REGION (optional)
Region of the policy definition. This option is exclusive with the --file option.
--resource-type RESOURCE_TYPE (optional)
Resource type of the policy definition. This option is exclusive with the --file option.
--resource RESOURCE (optional)
Resource of the policy definition. This option is exclusive with the --file option.
--resource-group-name RESOURCE_GROUP_NAME (optional)
Name of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-id options.
--resource-group-id RESOURCE_GROUP_ID (optional)
ID of the resource group. * means all resource groups. This option is exclusive with the --file, --resource and --resource-group-name options.
--account-management (optional)
Give access to all account management services.
--attributes name=value,name=value...
Set resource attributes in the form of 'name=value,name=value....'
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Update user policy with the one in JSON file:

ibmcloud iam user-policy-update name@example.com 0bb730daa --file @policy.json

Update user policy to give name@example.com Administrator role for all instances of sample-service service:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Administrator --service-name sample-service

Update user policy to give name@example.com Editor role and a custom role Responder for all instances of sample-service service:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Editor,Responder --service-name sample-service

Update user policy to give name@example.com Editor role for resource key123 of sample service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam user-policy-update name@example.com --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Update user policy to give name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Update user policy to give name@example.com Viewer role for members of the resource group sample-resource-group:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --resource-group-name sample-resource-group

Update user policy to give name@example.com Viewer role for members of a resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Update user policy to give name@example.com Viewer role for service is resources with attribute instance equal to *:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --service-name is --attributes "instanceId=*"

ibmcloud iam user-policy-delete

Delete an access policy for the specified user:

ibmcloud iam user-policy-delete USER_ID POLICY_ID [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

-f, --force
Delete user policy without confirmation.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Delete policies user-policy-id of user name@example.com:

ibmcloud iam user-policy-delete name@example.com user-policy-id

Delete policies user-policy-id of user name@example.com without confirmation:

ibmcloud iam user-policy-delete name@example.com user-policy-id -f

ibmcloud iam service-policies

List all access policies for a specified service ID:

ibmcloud iam service-policies SERVICE_ID [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

SERVICE_ID (required)
Name or UUID of service ID.
-f, --force (optional)
Display service policies without confirmation.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

List policies of service test:

ibmcloud iam service-policies test

List policies of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policies ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-policy

Display details of an access policy for a specified service ID:

ibmcloud iam service-policy SERVICE_ID POLICY_ID [--output FORMAT] [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

SERVICE_ID (required)
Name or UUID of service ID.
POLICY_ID (required)
ID of the service policy.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-f, --force (optional)
Display service policy without confirmation.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Show policy 140798e2-8ea7db3 of service test:

ibmcloud iam service-policies test 140798e2-8ea7db3

Show policy 140798e2-8ea7db3 of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policies ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3

ibmcloud iam service-policy-create

Create an access policy and assign it to a service ID:

ibmcloud iam service-policy-create SERVICE_ID {--file JSON_FILE | -r, --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [-f, --force] [--api-version v1 | v2]

Command options

SERVICE_ID (required)
Name or UUID of service ID.
--file
JSON file of policy definition. This option is exclusive with the -r, --roles, --service-name, --service-instance, --region, --resource-type, --resource, --resource-group-name and --resource-group-id options. You can use advanced operators in a JSON policy document to grant access to resources that satisfy specific naming conventions. For more information about using advanced operators to create wildcard policies, see Assigning access by using wildcard policies.
-r, --roles
Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME option. This option is exclusive with the --file option.
--service-name
Service name of the policy definition. This option is exclusive with the --file option.
--service-instance SERVICE_INSTANCE_GUID
GUID of service instance of the policy definition. This option is exclusive with the --file option.
-region
Region of the policy definition. This option is exclusive with the --file option.
--resource-type
Resource type of the policy definition. This option is exclusive with the --file option.
--resource
Resource of the policy definition. This option is exclusive with the --file option.
--resource-group-name
Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id options.
--resource-group-id
ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name options.
--account-management (optional)
Give access to all account management services.
--account-management (optional)
Give access to all account management services.
--attributes name=value,name=value...
Set resource attributes in the form of 'name=value,name=value....'
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
-f, --force
Create a service policy without confirmation.
--api-version
Version of the access policy API.

Examples

Create service policy from JSON file for service test:

ibmcloud iam service-policy-create test --file @policy.json

Create service policy from JSON file for service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policy-create ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 --file @policy.json

Grant service test the Administrator role for all account management services:

ibmcloud iam service-policy-create test --roles Administrator --account-management

Grant service test the Viewer role for all resources in account:

ibmcloud iam service-policy-create test --roles Viewer

Grant service test the Viewer role and a custom role Responder for all sample service instances in the account:

ibmcloud iam service-policy-create test --roles Viewer,Responder --service-name sample

Give service test the Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam service-policy-create sample-service --roles Viewer --service-name is --attributes "instanceId=*"

ibmcloud iam service-policy-update

Update an access policy for a service ID:

ibmcloud iam service-policy-update SERVICE_ID POLICY_ID {--file JSON_FILE | [-r, --roles ROLE_NAME1,ROLE_NAME2...] [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [-f, --force] [--api-version v1 | v2]

Command options

SERVICE_ID (required)
Name or UUID of service ID.
POLICY_ID (required)
ID of the service policy.
--file
JSON file of policy definition. This option is exclusive with the -r, --roles, --service-name, --service-instance, --region, --resource-type, --resource, resource-group-name, and resource-group-id options.
-r, --roles
Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file.
-service-name
Service name of the policy definition. This option is exclusive with the --file option.
-service-instance SERVICE_INSTANCE_GUID
GUID of service instance of the policy definition. This option is exclusive with the --file option.
-region
Region of the policy definition. This option is exclusive with the --file option.
-resource-type
Resource type of the policy definition. This option is exclusive with the --file option.
-resource
Resource of the policy definition. This option is exclusive with the --file option.
--resource-group-name
Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id options.
--resource-group-id
ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name options.
--account-management (optional)
Give access to all account management services.
--attributes name=value,name=value...
Set resource attributes in the form of 'name=value,name=value....'
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
-f, --force
Update service policy without confirmation.
--api-version
Version of the access policy API.

Examples

Update service policy 140798e2-8ea7db3 from JSON file for service test:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --file @policy.json

Update service policy 140798e2-8ea7db3 from JSON file for service test:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --file @policy.json

Update service policy 140798e2-8ea7db3 to grant service test the Administrator role for all account management services:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Administrator --account-management

Update service policy 140798e2-8ea7db3 to grant service test the Viewer role for all resources in account:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Viewer

Update the service policy 140798e2-8ea7db3 to grant service test the Viewer role and a custom role Responder for all sample service instances in the account:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Viewer,Responder --service-name sample

Update service policy 140798e2-8ea7db3 to grant service test the Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --roles Viewer --service-name is --attributes "instanceId=*"

ibmcloud iam service-policy-delete

Delete an access policy for a service ID:

ibmcloud iam service-policy-delete SERVICE_ID POLICY_ID [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

SERVICE_ID (required)
Name or UUID of service ID.
POLICY_ID (required)
ID of the service policy.
-f, --force
Delete without confirmation.
-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
--api-version
Version of the access policy API.

Examples

Delete policy 140798e2-8ea7db3 of service test:

ibmcloud iam service-policy-delete test 140798e2-8ea7db3

Delete policy 140798e2-8ea7db3 of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policy-delete ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3

ibmcloud iam logins

Retrieve and display recent login history:

ibmcloud iam logins

ibmcloud iam oauth-tokens

Retrieve and display the OAuth tokens for the current session:

ibmcloud iam oauth-tokens

ibmcloud iam roles

List platform, service-defined, and custom roles:

ibmcloud iam roles [--service SERVICE_NAME [--resource-type RESOURCE_TYPE] [--source-service SOURCE_SERVICE_NAME]] [--roles ROLE_NAME]

Command options

--resource-type
Resource type of the service. '--service' must be set along with this option.
--roles ROLE_NAME1,ROLE_NAME2...
Show details of specific roles
--service SERVICE_NAME
Name of the service. Only list platform-defined roles if not specified.
--source-service
Name of the service. Only list platform-defined roles if not specified. This option does not support private endpoints.

Examples

List platform default access roles and custom roles:

ibmcloud iam roles

List details of platform default access policy roles Administrator, Operator:

ibmcloud iam roles --roles Administrator,Operator

List details of access policy role Writer of cloud-object-storage service in JSON format:

ibmcloud iam roles --service cloud-object-storage --roles Writer --output JSON

List access policy roles for all account management service in JSON:

ibmcloud iam roles --service allacctmgmtroles --output JSON

List details of resource group access policy role Administrator:

ibmcloud iam roles --service resource-controller --roles Administrator

List details of access policy roles of resource type image of service is:

ibmcloud iam roles --service is --resource-type image

List authorization roles for source service cloud-object-storage and target service kms:

ibmcloud iam roles --source-service cloud-object-storage --service kms

ibmcloud iam role-create

Create a role:

ibmcloud iam role-create ROLE_NAME --display-name DISPLAY_NAME --service-name SERVICE_NAME [-a, --actions ROLE_ACTION1 [ROLE_ACTION2...]] [-d, --description DESCRIPTION] [--output FORMAT] [-q --quiet]

Command options

--display-name DISPLAY_NAME
The display name of the role that is shown in the console.
--service-name SERVICE_NAME
The name of the service.
-a, --actions ROLE_ACTION1,ROLE_ACTION2...
The actions of the role. For more information, see IAM roles and actions.
-d, --description DESCRIPTION
The description of the role.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Create a role to perform any Cloudant database action:

ibmcloud iam role-create CloudDBAdmin --display-name "Cloudant DB Administrator" --service-name cloudantnosqldb --actions cloudantnosqldb.db.any

Create a role for read-only access to Certificate Manager by using multiple role actions:

ibmcloud iam role-create ReadonlyCertManager --display-name "Readonly Certificate Manager" --service-name cloudcerts --actions cloudcerts.certificate-metadata.read,cloudcerts.notifications-channel.list

Create a role to view toolchain dashboards and return the role in JSON format:

ibmcloud iam role-create PreviewCDCI --display-name "Preview Toolchains" --service-name toolchain --actions toolchain.dashboard.view --output JSON

Create a role that has a description:

ibmcloud iam role-create ServiceIDCreator --display-name "Service ID Creator" --service-name iam-identity --actions iam-identity.serviceid.create --description "Can only create service keys"

ibmcloud iam access-policies

List all access policies under the current account:

ibmcloud iam access-policies [-t, --type user | service_id | access_group | trusted_profile] [--sort-by id | type | href | created_at | created_by_id | last_modified_at | last_modified_by_id | state ] [--output FORMAT] [-q, --quiet ] [--api-version v1 | v2]

Command options

-t, --type ACCESS_POLICY_TYPE
List all access policies under the current account filtered by policy type. Valid options are: user | service_id | access_group | trusted_profile
--sort-by ATTRIBUTE
Sort the policies based on attributes. Valid options are: id | type | href | created_at | created_by_id | last_modified_at | last_modified_by_id | state. Prepend a minus (for example, -id, -type) for reverse sorting.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

List all access policies under the current account:

ibmcloud iam access-policies

List all user access policies under the current account:

ibmcloud iam access-policies --type user

List all service ID access policies under the current account:

ibmcloud iam access-policies --type service_id

List all access group access policies under the current account:

ibmcloud iam access-policies --type access_group

List all trusted profile access policies under the current account:

ibmcloud iam access-policies --type trusted_profile

List all trusted profile access policies that are sorted by created_at in ascending order under the current account:

ibmcloud iam access-policies --type trusted_profile --sort-by created_at

List all trusted user policies that are sorted by last_modified_at in descending order under the current account:

ibmcloud iam access-policies --type user --sort-by -last_modified_at

ibmcloud iam access-policy-template

Show details of an access policy template under the current account:

ibmcloud iam access-policy-template (TEMPLATE_ID | TEMPLATE_NAME) [--output FORMAT] [-q, --quiet]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Show access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template AccessPolicyUserTemplate

ibmcloud iam access-policy-templates

List all access policy templates under current account:

ibmcloud iam access-policy-templates [--output FORMAT] [-q, quiet]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all access policy template under current account

ibmcloud iam access-policy-templates

ibmcloud iam access-policy-template-create

Create an access policy template:

ibmcloud iam access-policy-template-create --file JSON_FILE

Command options

--file JSON_FILE
JSON file of access policy template definition
-q, --quiet
Suppress verbose output.

Examples

Create an access policy template

imcloud iam access-policy-template-create --file /path/to/access_policy_template.json

ibmcloud iam access-policy-template-version

Get a version of an access policy template:

ibmcloud iam access-policy-template-version (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q, --quiet] [--output JSON]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Show version 1 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version AccessPolicyUserTemplate 1

ibmcloud iam access-policy-template-version-create

Create a new version of an access policy template:

ibmcloud iam access-policy-template-version-create (TEMPLATE_ID | TEMPLATE_NAME) [--file JSON_FILE] [-q, --quiet]

Command options

--file JSON_FILE
JSON file of access policy template definition
-q, --quiet
Suppress verbose output.

Examples

Create a new version for access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-create AccessPolicyUserTemplate --file /path/to/access_policy_template.json

ibmcloud iam access-policy-template-version-update

Update an existing version of an access policy template:

ibmcloud iam access-policy-template-update (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION --file JSON_FILE [-q, --quiet] [--output FORMAT]

Command options

--file JSON_FILE
JSON file of access policy template definition
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Update version 1 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-create AccessPolicyUserTemplate 1 --file /path/to/access_policy_template.json

ibmcloud iam access-policy-template-version-delete

Delete a version of an access policy template:

ibmcloud iam access-policy-template-version-delete (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q, --quiet] [-f, --force]

Command options

-f, --force
Force deletion without confirmation.
-q, --quiet
Suppress verbose output.

Examples

Delete version 2 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-delete AccessPolicyUserTemplate 2

ibmcloud iam access-policy-template-version-commit

Commit a version of an access policy template:

ibmcloud iam access-policy-template-version-commit (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q, --quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Commit version 1 of access policy template AccessPolicyUserTemplate

ibmcloud iam access-policy-template-version-commit AccessPolicyUserTemplate 1

ibmcloud iam access-policy-assignment

Show details of an access policy assignment:

ibmcloud iam access-policy-assignment ASSIGNMENT_ID [-q, --quiet] [--output FORMAT]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Show access policy assignment AccessPolicyAssignment-adee40a7f8324d6fbcd4c4a67b326eb5

ibmcloud iam access-policy-assignment AccessPolicyAssignment-adee40a7f8324d6fbcd4c4a67b326eb5

ibmcloud iam access-policy-assignments

List all access policy assignments on the current account:

ibmcloud iam access-policy-templates [--output FORMAT] [-q, --quiet]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all access policy template assignments under current account

ibmcloud iam access-policy-assignments

ibmcloud iam account-policies

List all account policies under current account:

ibmcloud iam account-policies [-t, --type access | auth] [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

-t, --type access | auth
List all policies under current account filtered by policy type. Valid options are: access | auth
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

List all account policies under current account:

ibmcloud iam account-policies

List all authorization policies under current account. Provides the same list as ibmcloud iam authorization-policies:

ibmcloud iam account-policies -t auth

List all access policies under current account. Provides the same list as ibmcloud iam access-policies:

ibmcloud iam account-policies -t access

ibmcloud iam authorization-policy-create

Create an authorization policy to allow a service instance access to another service instance:

ibmcloud iam authorization-policy-create { SOURCE_SERVICE_NAME TARGET_SERVICE_NAME ROLE_NAME1,ROLE_NAME2... [--source-service-instance-name SOURCE_SERVICE_INSTANCE_NAME | --source-service-instance-id SOURCE_SERVICE_INSTANCE_ID] [--source-service-account ACCOUNT_GUID] [--source-resource-group-id RESOURCE_GROUP_ID] [--source-resource-type RESOURCE_TYPE] [--source-resource RESOURCE] [--target-service-instance-name TARGET_SERVICE_INSTANCE_NAME | --target-service-instance-id TARGET_SERVICE_INSTANCE_ID] [--target-resource-group-id RESOURCE_GROUP_ID] [--target-resource-type RESOURCE_TYPE] [--target-resource RESOURCE] | --file JSON_FILE } [--output FORMAT] [-q, --quiet]

Command options

SOURCE_SERVICE_NAME
The source service that can be authorized to access. To find the service's name, run the ibmcloud catalog service-marketplace command.
TARGET_SERVICE_NAME
The target service that the source service can be authorized to access. To find the service's name, run the ibmcloud catalog service-marketplace command.
ROLE_NAME1,ROLE_NAME2...
The roles that provide access for the source service.
--source-service-instance-name SOURCE_SERVICE_INSTANCE_NAME
Source service instance name, mutually exclusive with --source-service-instance-id and --source-service-account. If source service instance is not specified, all instances of the source service are authorized to access.
--source-service-instance-id SOURCE_SERVICE_INSTANCE_ID
Source service instance ID, mutually exclusive with --source-service-instance-name. If not specified, all instances of the source service are authorized to access.
--source-service-account ACCOUNT_GUID
Account GUID of source service, mutually exclusive with --source-service-instance-name. Use this option if source service is from another account.
--source-resource-group-id RESOURCE_GROUP_ID
Source resource group ID, mutually exclusive with '--source-service-instance-id'.
--source-resource-type
Resource type of source service.
--source-resource
Resource of source service. --target-service-instance-name TARGET_SERVICE_INSTANCE_NAME
Target service instance name, mutually exclusive with --target-service-instance-id. If not specified, all instances of the target service are authorized to access.
--target-service-instance-id TARGET_SERVICE_INSTANCE_ID
Target service instance ID, mutually exclusive with --target-service-instance-name. If not specified, all instances of the target service are authorized to access.
--target-resource-group-id RESOURCE_GROUP_ID
Target resource group ID, mutually exclusive with '--target-service-instance-id'.
--target-resource-type
Resource type of target service.
--target-resource
Resource of target service.
--file FILE
JSON file of policy definition.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Currently, some combination of --source-service and --service might fail under private endpoints. Use --file as a workaround, or you can create the policy from public endpoints or the UI console.

ibmcloud iam authorization-policy-delete

Delete an authorization policy:

ibmcloud iam authorization-policy-delete AUTHORIZATION_POLICY_ID [-f, --force]

Command options

AUTHORIZATION_POLICY_ID
ID of authorization policy to be deleted.
-f, --force
Delete without confirmation.

ibmcloud iam authorization-policy

Show details of an authorization policy:

ibmcloud iam authorization-policy AUTHORIZATION_POLICY_ID [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

AUTHORIZATION_POLICY_ID
ID of authorization policy to show.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

ibmcloud iam authorization-policies

List authorization policies under the current account:

ibmcloud iam authorization-policies

ibmcloud iam access-groups

List access groups under current account:

ibmcloud iam access-groups [-u USER_NAME | -s SERVICE_ID_NAME | -p (PROFILE_NAME | PROFILE_ID)] [--output FORMAT] [-q, --quiet]

Command options

-u
List access groups the user belongs to. This option is exclusive to '-s' and '-p'.
-s
List access groups the service ID belongs to. This option is exclusive to '-u' and '-p'.
-p
List access groups the trusted profile belongs to. This option is exclusive to '-s' and '-u'.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all access groups:

ibmcloud iam access-groups

List all access groups the trusted profile test_profile belongs to:

ibmcloud iam access-groups -p test_profile

ibmcloud iam access-group

Show details of an access group:

ibmcloud iam access-group GROUP_NAME [--id]

Command options

-id
Show the ID only.

Examples

Show details of access group example_group:

ibmcloud iam access-group example_group

ibmcloud iam access-group-create

Create an access group:

ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]

Command options

-d, --description
Description of access group.

Examples

Create an access group example_group:

ibmcloud iam access-group-create example_group -d "example access group"

ibmcloud iam access-group-update

Update an access group:

ibmcloud iam access-group-update GROUP_NAME [-n, --name NEW_NAME] [-d, --description NEW_DESCRIPTION] [-f, --force]

Command options

-n, --name
New access group name.
-d, --description
New description.
-f, --force
Force update without confirmation.

Examples

Rename access group example_group to hello_world_group:

ibmcloud iam access-group-update example_group --name "hello_world_group"

ibmcloud iam access-group-delete

Delete an access group:

ibmcloud iam access-group-delete GROUP_NAME [-f, --force] [-r, --recursive] [-a, --all]

Command options

-f, --force
Force deletion without confirmation.
-r, --recursive
Delete an access group and its members.
-a, --all
Force to delete access groups with the same name.

Examples

Delete access group example_group:

ibmcloud iam access-group-delete example_group --force

ibmcloud iam access-group-users

List users in an access group:

ibmcloud iam access-group-users GROUP_NAME

Examples

List all users in access group example_group:

ibmcloud iam access-group-users example_group

ibmcloud iam access-group-user-add

Add users to an access group:

ibmcloud iam access-group-user-add GROUP_NAME USER_NAME [USER_NAME2...]

Examples

Add user name@example.com to access group example_group:

ibmcloud iam access-group-user-add example_group name@example.com

ibmcloud iam access-group-user-remove

Remove a user from an access group:

ibmcloud iam access-group-user-remove GROUP_NAME USER_NAME

Examples

Remove user name@example.com from access group example_group:

ibmcloud iam access-group-user-remove example_group name@example.com

ibmcloud iam access-group-user-purge

Remove user from all access groups:

ibmcloud iam access-group-user-purge USER_NAME [-f, --force]

Command options

-f, --force
Delete without confirmation.

Examples

Remove user name@example.com from all access groups:

ibmcloud iam access-group-user-purge name@example.com -f

ibmcloud iam access-group-service-ids

List service IDs in an access group:

ibmcloud iam access-group-service-ids GROUP_NAME

Examples

List all service IDs in access group example_group:

ibmcloud iam access-group-service-ids example_group

ibmcloud iam access-group-service-id-add

Add a service ID to an access group:

ibmcloud iam access-group-service-id-add GROUP_NAME SERVICE_ID_NAME [SERVICE_ID_NAME2...]

Examples

Add service ID example-service to access group example_group:

ibmcloud iam access-group-service-id-add example_group example-service

ibmcloud iam access-group-service-id-remove

Remove a service ID from an access group:

ibmcloud iam access-group-service-id-remove GROUP_NAME SERVICE_ID_NAME

Examples

Remove service ID example-service from access group example_group:

ibmcloud iam access-group-service-id-remove example_group example-service

ibmcloud iam access-group-service-id-purge

Remove service ID from all access groups:

ibmcloud iam access-group-service-id-purge SERVICE_ID_NAME [-f, --force]

Command options

-f, --force
Delete without confirmation.

Examples

Remove service ID example-service from all access groups:

ibmcloud iam access-group-service-id-purge example --force

ibmcloud iam access-group-trusted-profiles

List trusted profiles of an access group:

ibmcloud iam access-group-trusted-profiles GROUP_NAME [--output FORMAT] [-q, --quiet]

Command options

GROUP_NAME (required)
Name of the access group.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all trusted profiles in access group example_group:

ibmcloud iam access-group-trusted-profiles example_group

ibmcloud iam access-group-trusted-profile-add

Add trusted profiles to an access group:

ibmcloud iam access-group-trusted-profile-add GROUP_NAME (PROFILE_NAME | PROFILE_ID) [PROFILE_NAME2 | PROFILE_ID2...] [--output FORMAT] [-q, --quiet]

Command options

GROUP_NAME (required)
The name of the access group.
PROFILE_NAME | PROFILE_ID (required)
The names or IDs of the trusted profiles to add to the access group.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Add a trusted profile my-profile to access group example_group:

ibmcloud iam access-group-trusted-profile-add example_group my-profile

ibmcloud iam access-group-trusted-profile-remove

Remove a trusted profile from an access group:

ibmcloud iam access-group-trusted-profile-remove GROUP_NAME (PROFILE_NAME | PROFILE_ID) [-f, --force] [-q, --quiet]

Command options

GROUP_NAME (required)
Name of the access group.
PROFILE_NAME | PROFILE_ID (required)
Name or ID of the trusted profile to remove from the access group.
-f, --force
Remove without confirmation.
-q, --quiet
Suppress verbose output.

Examples

Remove trusted profile my-profile from access group example_group:

ibmcloud iam access-group-trusted-profile-remove example_group my-profile

ibmcloud iam access-group-trusted-profile-purge

Remove a trusted profile from all access groups:

ibmcloud iam access-group-trusted-profile-purge (PROFILE_NAME | PROFILE_ID) [-f, --force] [-q, --quiet]

Command options

PROFILE_NAME | PROFILE_ID (required)
Name or ID of the trusted profile to remove from all access groups.
-f, --force
Purge without confirmation.
-q, --quiet
Suppress verbose output.

Examples

Remove trusted profile my-profile from all access groups:

ibmcloud iam access-group-trusted-profile-purge my-profile

ibmcloud iam access-group-policies

List policies of an access group:

ibmcloud iam access-group-policies GROUP_NAME [--output FORMAT] [-q, --quiet] [--api-version v1 |v2]

Command options

GROUP_NAME
Name of the access group.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

List all policies of access group example_group:

ibmcloud iam access-group-policies example_group

ibmcloud iam access-group-policy

Show details of an access group policy:

ibmcloud iam access-group-policy GROUP_NAME POLICY_ID [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

GROUP_NAME
Name of the access group.
POLICY_ID
The ID of the policy to retrieve.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Show details of the policy 51b9717e-76b0-4f6a-bda7-b8132431f926 of access group example_group:

ibmcloud iam access-group-policy example_group 51b9717e-76b0-4f6a-bda7-b8132431f926

ibmcloud iam access-group-policy-create

Create an access group policy:

ibmcloud iam access-group-policy-create GROUP_NAME {--file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--tags name1:value1,name2:value2...] [--account-management] [--attributes name=value,name=value...]}} [--output FORMAT] [-q, --quiet] [--api-version v1 | v2]

Command options

--file
JSON file of policy definition. You can use advanced operators in a JSON policy document to grant access to resources that satisfy specific naming conventions. For more information about using advanced operators to create wildcard policies, see Assigning access by using wildcard policies.
-roles
Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file option.
-service-name
Service name of the policy definition. This option is exclusive with the --file option.
-service-instance SERVICE_INSTANCE_GUID
GUID of service instance of the policy definition. This option is exclusive with the --file option.
-region
Region of the policy definition. This option is exclusive with the --file option.
-resource-type
Resource type of the policy definition. This option is exclusive with the --file option.
-resource
Resource of the policy definition. This option is exclusive with the --file option.
-resource-group-name
Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id option.
-resource-group-id
ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name option.
-tags
Access tags of the resource. Use tags to organize, track usage costs, or manage access to your resources. For more information on tags, see Working with tags.
--account-management
Give access to all account management services.
--attributes name=value,name=value...
Set resource attributes in the form of 'name=value,name=value....'
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Create an access group policy from a JSON file:

ibmcloud iam access-group-policy-create example_group -f @policy.json

Give example_group Administrator role for all sample-service resources:

ibmcloud iam access-group-policy-create example_group --roles Administrator --service-name sample-service

Give example_group Editor role and a custom role Responder for all instances of sample-service in us-south region:

ibmcloud iam access-group-policy-create example_group --roles Editor,Responder --service-name sample-service --region us-south

Give example_group Editor role for resource key123 of sample-service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam access-group-policy-create example_group --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Give example_group Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-create example_group --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Give example_group Viewer role for the members of the resource group sample-resource-group:

ibmcloud iam access-group-policy-create example_group --roles Viewer --resource-group-name sample-resource-group

Give example_group Viewer role for the members of the resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-create example_group --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Give example_group Administrator role for all account management services:

ibmcloud iam access-group-policy-create example_group --roles Administrator --account-management

Give example_group Viewer role for all resources in account:

ibmcloud iam access-group-policy-create example_group --roles Viewer

Give example_group Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam access-group-policy-create example_group --roles Viewer --service-name is --attributes "instanceId=*"

Create access tags for the resource:

ibmcloud iam access-group-policy-create --tags env:dev,env:test

ibmcloud iam access-group-policy-update

Update an access group policy:

ibmcloud iam access-group-policy-update GROUP_NAME POLICY_ID {--file JSON_FILE | [--roles ROLE_NAME1,ROLE_NAME2...] [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [--api-version v1| v2]

Command options

--file
JSON file of policy definitions.
--roles
Role names of the policy definition. For supported roles of a specific service, run ibmcloud iam roles --service SERVICE_NAME. This option is exclusive with the --file option.
-service-name
Service name of the policy definition. This option is exclusive with the --file option.
-service-instance SERVICE_INSTANCE_GUID
GUID of service instance of the policy definition. This option is exclusive with the --file option.
-region
Region of the policy definition. This option is exclusive with the --file option.
-resource-type
Resource type of the policy definition. This option is exclusive with the --file option.
-resource
Resource of the policy definition. This option is exclusive with the --file option.
-resource-group-name
Name of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-id option.
-resource-group-id
ID of the resource group. * means all resource groups. This option is exclusive with the --file and --resource-group-name option.
--account-management (optional)
Give access to all account management services.
--attributes name=value,name=value...
Set resource attributes in the form of 'name=value,name=value....'
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Update the access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 with the one in policy JSON file:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 -f @policy.json

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Administrator role for all sample-service resources:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Administrator --service-name sample-service

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Editor role and a custom role Responder for all instances of sample-service in us-south region:

ibmcloud iam access-group-policy-update example_group --roles Editor,Responder --service-name sample-service --region us-south

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Editor role for resource key123 of sample-service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam access-group-policy-update example_group --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Viewer role for members of the resource group sample-resource-group:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --resource-group-name sample-resource-group
```bash
{: codeblock}

Update access group policy `b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4` to give `example_group` `Viewer` role for members of resource group with ID `dda27e49d2a1efca58083a01dfde18f6`:
```bash {: codeblock}
ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Administrator role for all account management services:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Administrator --account-management

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Viewer role for all resources in the account:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer

Update access group policy b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 to give example_group Viewer role for service is resources with attribute instanceId equal to *:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --service-name is --attributes "instanceId=*"

ibmcloud iam access-group-policy-delete

Delete an access group policy:

ibmcloud iam access-group-policy-delete GROUP_NAME POLICY_ID [-f, --force] [-q, --quiet] [--api-version v1 |v2]

Command options

--api-version
Version of the access policy API.
-f, --force
Force deletion without confirmation.
-q, --quiet
Suppress verbose output.

Examples

Delete policy 51b9717e-76b0-4f6a-bda7-b8132431f926 of access group example_group:

ibmcloud iam access-group-policy-delete example_group 51b9717e-76b0-4f6a-bda7-b8132431f926 -f

ibmcloud iam access-group-template-create

Create an access group template

ibmcloud iam access-group-template-create (TEMPLATE_NAME --access-group-name ACCESS_GROUP_NAME [-d, --description DESCRIPTION] | --file JSON_FILE) [--output FORMAT]

Command options

--access-group-name NAME
Access group name to create for the template
-d, --description DESCRIPTION
Description of the template
--file FILE
Description of the template
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Create an access group template with specified name and access group name

ibmcloud iam access-group-template-create example-template-name --access-group-name example-access-group -d example-description

Create an access group template by using a JSON file

ibmcloud iam access-group-template-create --file JSON_FILE

ibmcloud iam access-group-template

Show details of an access group template

ibmcloud iam access-group-template (TEMPLATE_ID | TEMPLATE_NAME) [--output FORMAT] [-q, --quiet]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Show details of an access group template in JSON format

ibmcloud iam access-group-template --output JSON

ibmcloud iam access-group-template-version

Show details of a specified version of an access group template

ibmcloud iam access-group-template-version (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q, --quiet] [--output FORMAT]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Show details of a specified version of an access group template in JSON format

ibmcloud iam access-group-template-version example-template-name 1 --output JSON

ibmcloud iam access-group-template-version-commit

Commit an access group template version

ibmcloud iam access-group-template-version-commit TEMPLATE_ID TEMPLATE_VERSION

Command options

-q, --quiet
Suppress verbose output.

Examples

Commit a specified version of an access group template

ibmcloud iam access-group-template-version-commit example-template-id 1

ibmcloud iam access-group-template-version-create

Create an access group template version

ibmcloud iam access-group-template-version-create TEMPLATE_ID --file JSON_FILE

Command options

--file FILE
Description of the template
-q, --quiet
Suppress verbose output.

Examples

Create a new version of an access group template

ibmcloud iam access-group-template-version-create example-template-id --file JSON_FILE

ibmcloud iam access-group-template-version-delete

Delete an access group template version

ibmcloud iam access-group-template-version-delete TEMPLATE_ID TEMPLATE_VERSION

Command options

-q, --quiet
Suppress verbose output.

Examples

Delete a specified version of an access group template

ibmcloud iam access-group-template-version-delete example-template-id 1

ibmcloud iam access-group-template-version-update

Update an existing version of access group template version

ibmcloud iam access-group-template-version-update (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION --file JSON_FILE [-q, --quiet]

Command options

--file FILE
Description of the template
-q, --quiet
Suppress verbose output.

Examples

Update a specified version of an access group template with a JSON file

ibmcloud iam access-group-template-version-update example-template-name 1 --file JSON_FILE

ibmcloud iam access-group-template-versions

List the versions of an access group template

ibmcloud iam access-group-template-versions (TEMPLATE_ID | TEMPLATE_NAME) [-q, --quiet] [--output FORMAT]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all versions of an access group template

ibmcloud iam access-group-template-versions example-template-name

ibmcloud iam access-group-templates

List all access group templates under current account

ibmcloud iam access-group-templates [-q, --quiet] [--output FORMAT]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all access group templates under current account in JSON format

ibmcloud iam access-group-template-versions example-template-name --output JSON

ibmcloud iam access-group-assignment

Show details of an access group assignment

ibmcloud iam access-group-assignment [--output FORMAT]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Show details of an access group assignment in JSON format

ibmcloud iam access-group-assignments --output JSON

ibmcloud iam access-group-assignment-create

Create an access group assignment

ibmcloud iam access-group-assignment-create TEMPLATE_ID TEMPLATE_VERSION --target-type TYPE --target TARGET

Command options

--target value
ID of the entity targeted --target-type value
Type of entity targeted -q, --quiet
Suppress verbose output

Examples

Show details of an access group assignment in JSON format

ibmcloud iam access-group-assignment-create example-template-id 1 --target-type Account --target example-account-id

ibmcloud iam access-group-assignment-delete

Delete an access group assignment

ibmcloud iam access-group-assignment-delete ASSIGNMENT_ID

Command options

-q, --quiet
Suppress verbose output

Examples

Delete a specified access group assignment

ibmcloud iam access-group-assignment-delete example-assignment-id

ibmcloud iam access-group-assignment-update

Update an access group assignment

ibmcloud iam access-group-assignment-update ASSIGNMENT_ID

Command options

-q, --quiet
Suppress verbose output

Examples

Update a specified access group assignment

ibmcloud iam access-group-assignment-update example-assignment-id

ibmcloud iam access-group-assignments

Get all access group assignments in your current account

ibmcloud iam access-group-assignments [-q, --quiet] [--output FORMAT]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all access group assignments under current account in JSON format

ibmcloud iam access-group-assignments --output JSON

ibmcloud iam trusted-profile-create

Create a trusted profile:

ibmcloud iam trusted-profile-create NAME [-d, --description DESCRIPTION] [--output FORMAT] [-q, --quiet]

Command options

NAME (required)
Name of the new profile.
-d, --description DESCRIPTION
Description of the profile.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Create a trusted profile with name sample-test and description "sample trusted profile":

ibmcloud iam trusted-profile-create sample-test -d "sample trusted profile"

ibmcloud iam trusted-profile

Get a trusted profile by name or ID:

ibmcloud iam trusted-profile NAME|ID [--id | --output FORMAT] [-q, --quiet]

Command options

NAME|ID (required)
Name or ID of the profile.
--id
Show the ID of the profile only.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Retrieve trusted profile with name sample-test:

ibmcloud iam trusted-profile sample-test

Retrieve trusted profile with profile ID Profile-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam trusted-profile Profile-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam trusted-profiles

List trusted profiles under current account

ibmcloud iam trusted-profiles [--can-assume] [--id | --output FORMAT] [-q, --quiet]

Command options

--can-assume
Show profiles that can be assumed with the current account only.
--id
Show ID of profiles only.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List ID of all trusted profiles under current account:

ibmcloud iam trusted-profiles --id

List trusted profiles that can be assumed with the current account:

ibmcloud iam trusted-profiles --can-assume

ibmcloud iam trusted-profile-assume

Assume a trusted profile:

ibmcloud iam trusted-profile-assume [NAME|ID] [--output FORMAT] [-q, --quiet]

Command options

NAME|ID
The name or ID of the profile to assume. --output FORMAT
The specified output format. Only 'JSON' is supported. -q, --quiet
Suppress verbose output.

Examples

Assume a trusted profile with name sample-test:

ibmcloud iam trusted-profile-assume sample-test

View the currently assumed trusted profile:

ibmcloud iam trusted-profile-assume

ibmcloud iam trusted-profile-leave

Leave a trusted profile:

ibmcloud iam trusted-profile-leave [-q, --quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Leave a trusted profile previously assumed:

ibmcloud iam trusted-profile-leave

ibmcloud iam trusted-profile-update

Update a trusted profile

ibmcloud iam trusted-profile-update NAME|ID [-n, --name NEW_NAME] [-d, --description NEW_DESCRIPTION] [--output FORMAT] [-f, --force] [-q, --quiet]

Command options

NAME|ID (required)
Name or ID of the profile to update.
-n, --name NEW_NAME
New name of the trusted profile.
-d, --description NEW_DESCRIPTION
New description of the profile. Providing an empty description clears the description of the profile.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-f, --force
Force failure if multiple profiles are found.
-q, --quiet
Suppress verbose output.

Examples

Update trusted profile with name sample-test to new name of test:

ibmcloud iam trusted-profile-update sample-test -n test

Update trusted profile sample-test with new description of testing trusted profile update:

ibmcloud iam trusted-profile-update sample-test -d "testing trusted profile update"

ibmcloud iam trusted-profile-delete

Delete a trusted profile

ibmcloud iam trusted-profile-delete NAME|ID [-f, --force] [-q, --quiet]

Command options

NAME|ID (required)
Name or ID of the profile to delete.
-f, --force
Delete a trusted profile without confirmation.
-q, --quiet
Suppress verbose output.

Examples

Delete trusted profile with name sample-test:

ibmcloud iam trusted-profile-delete sample-test

ibmcloud iam trusted-profile-policy-create

Create an access policy and assign it to a trusted profile

ibmcloud iam trusted-profile-policy-create (NAME|ID) {--file JSON_FILE | -r, --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--tags name1:value1,name2:value2...] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [-f, --force] [--api-version v1 | v2]

Command options

NAME|ID (required)
The name or ID of the profile to assign the new policy to
--account-management
Give access to all account management services.
--api-version
Version of the access policy API.
--attributes name=value,name-value...
Set resource attributes in the form of 'name=value,name=value....'
--file JSON_FILE
JSON file of policy definition.
-f, --force
Force failure if multiple profiles are found.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
--region REGION
Region of the policy definition. This option is exclusive with '--file'. For supported regions, run 'ibmcloud regions'.
--resource RESOURCE
Resource of the policy definition. This option is exclusive with '--file'.
--resource-group-id RESOURCE_GROUP_ID
ID of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-name'.
--resource-group-name RESOURCE_GROUP_NAME
Name of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-id'.
--resource-type RESOURCE_TYPE
Resource type of the policy definition. This option is exclusive with '--file'.
--roles ROLE_NAME1,ROLE_NAME2...
Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.
-q, --quiet
Suppress verbose output.
--service-instance SERVICE_INSTANCE_GUID
GUID of service instance of the policy definition. This option is exclusive with '--file'.
--service-name SERVICE_NAME
Service name of the policy definition. This option is exclusive with '--file'.
--tags name1:value1,name2:value2...
Access tags of the resource.

Examples

Create a trusted profile policy for my-profile from a JSON file:

iam trusted-profile-policy-create my-profile --file policy.json

Give my-profile Viewer role for the members of resource group sample-resource-group:

iam trusted-profile-policy-create my-profile --roles Viewer --resource-group-id sample-resource-group

Give my-profile Viewer role for all resources in account:

iam trusted-profile-policy-create my-profile --roles Viewer

ibmcloud iam trusted-profile-policy

Display details of an access policy for a specified trusted profile

ibmcloud iam trusted-profile-policy (NAME|ID) POLICY_ID [--output FORMAT] [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

NAME|ID (required)
Name or ID of the profile.
POLICY_ID (required)
The ID of the policy to retrieve.
-f, --force
Force failure if multiple profiles are found.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Get policy bdf62c30-35dd-4852-bcb8-2f0dd3929701 of trusted profile my-profile:

ibmcloud iam trusted-profile-policy my-profile bdf62c30-35dd-4852-bcb8-2f0dd3929701

ibmcloud iam trusted-profile-policies

List all access policies for a specified trusted profile

ibmcloud iam trusted-profile-policies (NAME|ID) [--output FORMAT] [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

NAME|ID (required)
Name or ID of the profile.
-f, --force
Force failure if multiple profiles are found.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

List all policies of trusted profile ID Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701:

ibmcloud iam trusted-profile-policies Profile-bdf62c30-35dd-4852-bcb8-2f0dd3929701

ibmcloud iam trusted-profile-policy-update

Update an access policy for a trusted profile

ibmcloud iam trusted-profile-policy-update (NAME|ID) POLICY_ID {--file JSON_FILE | -r, --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID] [--tags name1:value1,name2:value2...] [--account-management] [--attributes name=value,name=value...]} [--output FORMAT] [-q, --quiet] [-f, --force] [--api-version v1 | v2]

Command options

NAME|ID (required)
The name or ID of the profile to assign the new policy to update.
POLICY_ID (required)
The ID of the policy to update.
--account-management
Give access to all account management services.
--attributes name=value,name-value...
Set resource attributes in the form of 'name=value,name=value....'
--file JSON_FILE
JSON file of policy definition.
-f, --force
Force failure if multiple profiles are found.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
--region REGION
Region of the policy definition. This option is exclusive with '--file'. For supported regions, run 'ibmcloud regions'.
--resource RESOURCE
Resource of the policy definition. This option is exclusive with '--file'.
--resource-group-id RESOURCE_GROUP_ID
ID of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-name'.
--resource-group-name RESOURCE_GROUP_NAME
Name of the resource group. '*' means all resource groups. This option is exclusive with '--file' and '--resource-group-id'.
--resource-type RESOURCE_TYPE
Resource type of the policy definition. This option is exclusive with '--file'.
--roles ROLE_NAME1,ROLE_NAME2...
Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.
--service-instance SERVICE_INSTANCE_GUID
GUID of service instance of the policy definition. This option is exclusive with '--file'.
--service-name SERVICE_NAME
Service name of the policy definition. This option is exclusive with '--file'.
--tags name1:value1,name2:value2...
Access tags of the resource.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Update policy 85f3a4d6-c2e1-417e-b2d5-7199d610c160 to give trusted profile my-profile Administrator role for all account management services:

ibmcloud iam trusted-profile-policy-update my-profile 85f3a4d6-c2e1-417e-b2d5-7199d610c160 --roles Administrator --account-management

Update policy bdf62c30-35dd-4852-bcb8-2f0dd3929701 from my-profile with contents in JSON file:

ibmcloud iam trusted-profile-policy-update my-profile bdf62c30-35dd-4852-bcb8-2f0dd3929701 --file @policy.json

ibmcloud iam trusted-profile-policy-delete

Delete an access policy for a trusted profile

ibmcloud iam trusted-profile-policy-delete (NAME|ID) POLICY_ID [-f, --force] [-q, --quiet] [--api-version v1 | v2]

Command options

NAME|ID (required)
The name or ID of the profile that contains the policy to delete.
POLICY_ID (required)
The ID of the policy to delete.
-f, --force
Delete access policy without confirmation.
-q, --quiet
Suppress verbose output.
--api-version
Version of the access policy API.

Examples

Delete policy ID bdf62c30-35dd-4852-bcb8-2f0dd3929701 from my-profile without confirmation:

ibmcloud iam trusted-profile-policy-delete my-profile bdf62c30-35dd-4852-bcb8-2f0dd3929701 -f

ibmcloud iam trusted-profile-identity

Retrieve and display a trusted profile identity

ibmcloud iam trusted-profile-identity (NAME|ID) (IDENTITY_IDENTIFIER|IDENTITY_ID) --id-type IDENTIFIER_TYPE [--id | --output FORMAT] [-q, --quiet]

Command options

NAME|ID (required)
Name or ID of the trusted profile.
IDENTITY_IDENTIFIER|IDENTITY_ID (required)
Identifier or ID of the Identity to retrieve.
--id-type (required)
The type of identifier to retrieve for the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN
--id
Show ID of the identity only.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

ibmcloud iam trusted-profile-identities

Retrieve and display trusted profile identities

ibmcloud iam trusted-profile-identities (NAME|ID) [--id-type IDENTIFIER_TYPE] [--id | --output FORMAT] [-f, --force] [-q, --quiet]

Command options

NAME|ID (required)
Name or ID of the trusted profile.
--id-type
The type of identifiers to retrieve for the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN
--id
Show the ID of the identities only.
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-f, --force
Force a failure if multiple profiles are found.
-q, --quiet
Suppress verbose output.

ibmcloud iam trusted-profile-identity-create

Connect a trusted profile to an identity

ibmcloud iam trusted-profile-identity-create (NAME|ID) --id IDENTIFIER_TO_CONNECT --id-type IDENTIFIER_TYPE [--description DESCRIPTION] [--output FORMAT] [-q, --quiet]

Command options

NAME|ID (required)
The name or ID of the profile to connect the identity to.
--id (required)
ID for the identity.
--id-type (required)
The type of identifier to connect to the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN
--description DESCRIPTION
Optional description for the connection to the trusted profile
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

ibmcloud iam trusted-profile-identity-delete

Disconnect a trusted profile from an identity

ibmcloud iam trusted-profile-identity-delete (NAME|ID) (IDENTITY_IDENTIFIER|IDENTITY_ID) --id-type IDENTIFIER_TYPE [--force] [-q, --quiet]

Command options

NAME|ID (required)
The name or ID of the profile to disconnect the identity from.
IDENTITY_IDENTIFIER|IDENTITY_ID (required)
Identifier or ID of the Identity to disconnect.
--id-type (required)
The type of identifier to disconnect from the trusted profile. USER for a user IAM ID, SERVICEID for a service ID, or CRN for a service CRN
-f, --force
Force deletion without confirmation.
-q, --quiet
Suppress verbose output.

ibmcloud iam trusted-profile-rule-create

Create a rule for a trusted profile:

ibmcloud iam trusted-profile-rule-create (NAME|UUID) --name RULE_NAME --type RULE_TYPE  [--realm-name REALM_NAME] --conditions <LIST_OF_CONDITIONS> [--expiration EXPIRATION_SEC] [--cr-type CR_TYPE] [--output FORMAT] [-q, --quiet] [-f, --force]

To view a full list of valid operators and claim attribute options for --conditions, see IAM condition properties.

Command options

NAME|ID (required)
Name or ID of the profile to create a rule for.
--type (required)
'Profile-SAML' for a SAML rule or 'Profile-CR' for a compute resource rule
--conditions (required)
List of conditions, provided as a comma-separated list of triple values "claim:CLAIM,operator:OPERATOR,value:VALUE". To specify multiple conditions, specify the flag multiple times --conditions "claim:CLAIM1,operator:OPERATOR1,value:VALUE1" --conditions "claim:CLAIM2,operator:OPERATOR2,value:VALUE2".
--expiration
Specify an expiration in seconds for SAML rules. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).
--name
Name for the rule.
--cr-type
The compute resource type that the rule applies to is required only if type is specified as 'Profile-CR'. Values are VSI for Virtual Service Instance on VPC, IKS_SA for Service Accounts on Kubernetes clusters, or ROKS_SA for managed Red Hat OpenShift.
--realm-name
The issuer ID for trusts established via IBMid with federation, or appid:// for trusts established by using App ID federation. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-f, --force
Force failure if multiple profiles are found.
-q, --quiet
Suppress verbose output.

Examples

Create a Profile-SAML rule with rule name my-rule, realm name set to https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20, expiration set to 1200 seconds for trusted profile my-profile with the rule conditions: cn EQUALS my_user

ibmcloud iam trusted-profile-rule-create my-profile --name my-rule --type Profile-SAML --conditions claim:cn,operator:EQUALS,value:my_user --realm-name https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20 --expiration 1200

Create a Profile-SAML rule with realm name set to https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20 and expiration set to 1200 seconds for trusted profile my-profile with the rule conditions: cn EQUALS my_user and blueGroups NOT_EQUALS jaas_master

ibmcloud iam trusted-profile-rule-create my-profile --type Profile-SAML --conditions claim:cn,operator:EQUALS,value:my_user --conditions claim:blueGroups,operator:NOT_EQUALS,value:jaas_master --realm-name https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20 --expiration 1200

Create a Profile-CR rule with rule name my-rule, compute resource type IKS_SA, and with the rule conditions: namespace EQUALS default and crn EQUALS crn:test:bluemix:public:containers-kubernetes:us-south:a/test::

ibmcloud iam trusted-profile-rule-create my-profile --name my-rule --type Profile-CR --conditions claim:namespace,operator:EQUALS,value:default --conditions claim:crn,operator:EQUALS,value:crn:test:bluemix:public:containers-kubernetes:us-south:a/test:: --cr-type IKS_SA

ibmcloud iam trusted-profile-rules

List all rules for a specified trusted profile:

ibmcloud iam trusted-profile-rules (NAME|ID) [--output FORMAT] [-f, --force] [-q, --quiet]

Command options

NAME|ID (required)
Name or ID of the trusted profile to retrieve rules for.
--output FORMAT.
Specify the output format. Only 'JSON' is supported.
-f, --force
Force failure if multiple profiles are found.
-q, --quiet
Suppress verbose output.

Examples

Display all rules in the trusted profile my-profile:

ibmcloud iam trusted-profile-rules my-profile

ibmcloud iam trusted-profile-rule-update

Update a rule for a trusted profile:

ibmcloud iam trusted-profile-rule-update (NAME|ID) (RULE_NAME|RULE_ID) --name RULE_NAME --type RULE_TYPE  [--realm-name REALM_NAME] --conditions <LIST_OF_CONDITIONS> [--cr-type CR_TYPE] [--expiration EXPIRATION_SEC] [--output FORMAT] [-q, --quiet] [-f, --force]

To view a full list of valid operators and claim attribute options for --conditions, see IAM condition properties.

Command options

NAME|ID (required)
The name or ID of the trusted profile to update a rule for.
RULE_NAME|RULE_ID (required)
The name or ID of the rule to update.
--type
'Profile-SAML' for a SAML rule or 'Profile-CR' for a compute resource rule.
--conditions
List of conditions, provided as a comma-separated list of triple values "claim:CLAIM,operator:OPERATOR,value:VALUE". To specify multiple conditions, specify the flag multiple times --conditions "claim:CLAIM1,operator:OPERATOR1,value:VALUE1" --conditions "claim:CLAIM2,operator:OPERATOR2,value:VALUE2".
--cr-type
The compute resource type that the rule applies to is required only if type is specified as 'Profile-CR'. Values are VSI for Virtual Service Instance on VPC, IKS_SA for Service Accounts on Kubernetes clusters, or ROKS_SA for managed Red Hat OpenShift.
--expiration
Specify an expiration in seconds for SAML rules. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).
--name
New name for the rule.
--realm-name
Issuer Id for trusts established via IBMid with federation, or appid:// for trusts established via App ID federation. Must not be provided for trusts that are established to Compute Resources (type = Profile-CR).
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-f, --force
Force failure if multiple rules are found.
-q, --quiet
Suppress verbose output.

Examples

Update rule ClaimRule-test-id in profile my-profile with new name test-rule:

ibmcloud iam trusted-profile-rule-update my-profile ClaimRule-test-id --name test-rule

Update Profile-SAML rule my-rule in profile my-profile with new realm name https://www.example.org/my-nice-idp:

ibmcloud iam trusted-profile-rule-update my-profile my-rule --realm-name https://www.example.org/my-nice-idp

Update rule conditions and expiration time for Profile-SAML rule ClaimRule-a448e998-311f-4e23-8af8-66b855c5da11 in profile my-profile:

ibmcloud iam trusted-profile-rule-update my-profile ClaimRule-a448e998-311f-4e23-8af8-66b855c5da11 --conditions claim:cn,operator:EQUALS,value:my_user --expiration 1200

Update rule conditions and compute resource type for Profile-CR rule ClaimRule-cb8e3a2c-2d16-422b-b691-8791355b53bc in profile my-profile:

ibmcloud iam trusted-profile-rule-update my-profile ClaimRule-cb8e3a2c-2d16-422b-b691-8791355b53bc --conditions claim:crn,operator:EQUALS,value:crn:v1:bluemix:public:containers-redhat:us-south:a/test:: --cr-type ROKS_SA

ibmcloud iam trusted-profile-rule-delete

Delete a rule for a trusted profile:

ibmcloud iam trusted-profile-rule-delete (NAME|ID) (RULE_NAME|RULE_ID) [-f, --force] [-q, --quiet]

Command options

NAME|ID (required)
The name or ID of the profile that contains the rule to delete.
RULE_NAME|RULE_ID (required)
The name or ID of the rule to delete.
-f, --force
Force deletion without confirmation.
-q, --quiet
Suppress verbose output.

Examples

Delete rule my-rule from trusted profile my-profile without confirmation:

ibmcloud iam trusted-profile-rule-delete my-profile my-rule -f

ibmcloud iam trusted-profile-templates

List all profile templates in your current account

ibmcloud iam trusted-profile-templates [--output FORMAT] [-q, --quiet]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

List trusted profile templates in table format

ibmcloud iam trusted-profile-templates

ibmcloud iam trusted-profile-template-create

Create a trusted profile template

ibmcloud iam trusted-profile-template-create --file JSON_FILE

Command options

--file JSON_FILE
JSON file of the template definition

ibmcloud iam trusted-profile-template-version

Get a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION

Examples

List details of a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version example-template-name 1

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

ibmcloud iam trusted-profile-template-version-commit

Commit a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-commit (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION

Command options

Examples

Commit a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-commit example-template-name 1
-q, --quiet
Suppress verbose output.

ibmcloud iam trusted-profile-template-version-create

Create a new version of a trusted profile template

ibmcloud iam trusted-profile-template-version-create (TEMPLATE_ID | TEMPLATE_NAME) --file JSON_FILE

Command options

-q, --quiet
Suppress verbose output.
--file JSON_FILE
JSON file of the template definition.

Examples

Create a new version of a specified template from a JSON file

ibmcloud iam trusted-profile-template-version-create example-template-name --file JSON_FILE

ibmcloud iam trusted-profile-template-version-delete

Delete a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-delete TEMPLATE_ID TEMPLATE_VERSION

Command options

-q, --quiet
Suppress verbose output.

Examples

Delete a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-delete example-template-name 1

ibmcloud iam trusted-profile-template-version-update

Update a specified version of a trusted profile template

ibmcloud iam trusted-profile-template-version-update (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION --file JSON_FILE

Command options

-q, --quiet
Suppress verbose output.
--file JSON_FILE
JSON file of the template definition.

Examples

Update a specified version of a trusted profile template with a JSON file

ibmcloud iam trusted-profile-template-version-update example-template-name 1 --file JSON_FILE

ibmcloud iam trusted-profile-template-versions

List all versions of a trusted profile template

ibmcloud iam trusted-profile-template-versions TEMPLATE_ID | TEMPLATE_NAME

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

List all versions of a trusted profile template in JSON format

ibmcloud iam trusted-profile-template-versions --output JSON

ibmcloud iam trusted-profile-assignment

Show details of a trusted profile assignment

ibmcloud iam trusted-profile-assignment ASSIGNMENT_ID

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

Show details of a trusted profile assignment in JSON format

ibmcloud iam trusted-profile-assignment example-assignment-id --output JSON

ibmcloud iam trusted-profile-assignment-create

Create a trusted profile assignment

ibmcloud iam trusted-profile-assignment-create TEMPLATE_ID TEMPLATE_VERSION --target-type TYPE --target TARGET

Command options

-q, --quiet
Suppress verbose output.
--target TARGET
ID of the entity targeted
--target-type TYPE
Type of entity targeted

Examples

Create a trusted profile assignment in a specified target account

ibmcloud iam trusted-profile-assignment-create example-template-id 1 --target-type Account --target example-account-id

ibmcloud iam trusted-profile-assignment-delete

Delete a trusted profile assignment

ibmcloud iam trusted-profile-assignment-delete ASSIGNMENT_ID

Command options

-q, --quiet
Suppress verbose output.

Examples

Create a trusted profile assignment in a specified target account

ibmcloud iam trusted-profile-assignment-create example-template-id 1 --target-type Account --target example-account-id

ibmcloud iam trusted-profile-assignment-update

Update a trusted profile assignment

ibmcloud iam trusted-profile-assignment-update ASSIGNMENT_ID TEMPLATE_VERSION

Command options

-q, --quiet
Suppress verbose output.

Examples

Update a trusted profile assignment

ibmcloud iam trusted-profile-assignment-update example-template-id 1

ibmcloud iam trusted-profile-assignments

Get all trusted profile assignments in your current account

ibmcloud iam trusted-profile-assignments

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

List all trusted profile assignments in current account in JSON format

ibmcloud iam trusted-profile-assignments --output JSON

ibmcloud iam account-settings

List account setting values:

ibmcloud iam account-settings [--output FORMAT] [-q, --quiet]

Command options

--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

ibmcloud iam account-settings-update

Update settings under current account:

ibmcloud iam account-settings-update [--restrict-create-service-id RESTRICTION_SETTING] [--restrict-create-platform-apikey RESTRICTION_SETTING] [--allowed-ip-addresses ADDRESS_LIST] [--unset-allowed-ip-addresses] [--mfa MFA] [--session-expiration-in-seconds SECONDS_EXP] [--session-invalidation-in-seconds SECONDS_INV] [--max-sessions-per-identity SESSIONS_MAX] [--output FORMAT] [-q, --quiet]

Command options

--restrict-create-service-id RESTRICTION_SETTING
The restriction level on Service ID creation (one of RESTRICTED, NOT_RESTRICTED, or NOT_SET).
--restrict-create-platform-apikey RESTRICTION_SETTING
The restriction level on API Key creation (one of RESTRICTED, NOT_RESTRICTED, or NOT_SET).
--allowed-ip-addresses ADDRESS_LIST
The IP addresses and subnets from which IAM tokens can be created (the default is "").
--unset-allowed-ip-addresses
Clear all IP address restrictions
--session-expiration-in-seconds SECONDS_EXP
The number of seconds after which the session expires (can also be NOT_SET, which resets the value to default).
--session-invalidation-in-seconds SECONDS_INV
The number of seconds of inactivity after which a session is invalidated (can also be "NOT_SET", which resets the value to default).
--max-sessions-per-identity SESSIONS_MAX
The maximum number of sessions per identity on the account (can also be NOT_SET, which resets the value to default).
--mfa MFA
The type of MFA on the account (one of NONE, TOTP, TOTP4ALL, LEVEL1, LEVEL2, or LEVEL3).
--output FORMAT
Specify the output format. Only 'JSON' is supported.
-q, --quiet
Suppress verbose output.

Examples

Update the multi-factor authentication setting of an account to LEVEL3:

ibmcloud iam account-settings-update --mfa LEVEL3

Update the number of seconds after which a session expires to default (with NOT_SET):

ibmcloud iam account-settings-update --session-expiration-in-seconds NOT_SET

ibmcloud iam account-settings-template

Show details of an account settings template:

ibmcloud iam account-settings-template (TEMPLATE_ID | TEMPLATE_NAME) [-q,--quiet] [--output JSON]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

Show details for account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template AccountSettingsEditorTemplate

ibmcloud iam account-settings-templates

List account settings templates for an enterprise account:

ibmcloud iam account-settings-templates [-q,--quiet] [--output JSON]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

List account settings templates on your current account

ibmcloud iam account-settings-templates

ibmcloud iam account-settings-template-create

Create a new account settings template for an enterprise account:

ibmcloud iam account-settings-template-create TEMPLATE_NAME [-d, --description DESCRIPTION] [--file JSON_FILE] [-q,--quiet]

Command options

-d , --description DESCRIPTION
Description of the template
--file JSON_FILE
JSON file of the template definition
-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

Create an account settings template on your current account

ibmcloud iam account-settings-template-create AccountSettingsEditorTemplate --fie /path/to/account_settings_template.json

ibmcloud iam account-settings-template-version

Get a specific version of an account settings template in an enterprise account:

ibmcloud iam account-settings-template-version (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q,--quiet] [--output JSON]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

Show version 1 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-create AccountSettingsEditorTemplate 1

ibmcloud iam account-settings-template-versions

List versions of an account settings template in an enterprise account:

ibmcloud iam account-settings-template-versions (TEMPLATE_ID | TEMPLATE_NAME) [-q,--quiet] [--output JSON]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

List versions of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-versions AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-create

Create a new version of an account settings template in an enterprise account:

ibmcloud iam account-settings-template-version-create {(TEMPLATE_ID |TEMPLATE_NAME) (--file JSON_FILE)} [-q,--quiet] [--output FORMAT]

Command options

--file JSON_FILE
JSON file of account settings template definition
-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

Create a new version of the account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-create AccountSettingsEditorTemplate --file /path/to/account_settings_template.json

ibmcloud iam account-settings-template-version-update

Update a specific version of an account settings template in an enterprise account:

ibmcloud iam account-settings-template-version-update (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION --file JSON_FILE [-d, --description DESCRIPTION] [-q,--quiet]

Command options

-d value, --description DESCRIPTION
Description of the template
--file JSON_FILE
JSON file of template definition
-q, --quiet
Suppress verbose output.

Examples

Update version 1 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-update AccountSettingsEditorTemplate 1 --file /path/to/account_settings_template.json

ibmcloud iam account-settings-template-version-delete

Delete a version of an account settings template for an enterprise account:

ibmcloud iam account-settings-template-version-delete (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q,--quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Delete version 2 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-delete AccountSettingsEditorTemplate 2

ibmcloud iam account-settings-template-version-commit

Commit a specific version of an account settings template in an enterprise account:

ibmcloud iam account-settings-template-commit (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q,--quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Commit version 1 of account settings template AccountSettingsEditorTemplate

ibmcloud iam account-settings-template-version-commit AccountSettingsEditorTemplate 1

ibmcloud iam account-settings-assignments

List assignments for account settings on an enterprise account:

ibmcloud iam account-settings-assignments [--output FORMAT] [-q, --quiet]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

List assignments in current account

ibmcloud iam account-settings-assignments

ibmcloud iam account-settings-assignment

Get an assignment for an account settings template:

ibmcloud iam account-settings-assignment ASSIGNMENT_ID [-q,--quiet] [--output FORMAT]

Command options

-q, --quiet
Suppress verbose output.
--output FORMAT
Specify the output format. Only 'JSON' is supported.

Examples

Get account settings assignment AccountSettingsAssignment-7c4345c7f2cb4c75a9f29b68fc1e1e88

ibmcloud iam account-settings-assignment AccountSettingsAssignment-7c4345c7f2cb4c75a9f29b68fc1e1e88

ibmcloud iam account-settings-assignment-create

Create an assignment for an account settings template:

ibmcloud iam account-settings-assignment-create TEMPLATE_NAME TEMPLATE_VERSION TARGET_TYPE TARGET [-q, --quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Assign account settings template to account

ibmcloud iam account-settings-assignment-create TemplateTest 1 Account f7fc6938256e46e1a25ee09e14ca9c20

Assign account settings template to account group

ibmcloud iam account-settings-assignment-create TemplateTest 1 AccountGroup 955fc2274567474f8da802d5c376504b

ibmcloud iam account-settings-assignment-update

Update an assignment to retry failed assignments or migrate resources to a new version:

ibmcloud iam account-settings-assigment-update ASSIGNMENT_ID TEMPLATE_VERSION [-q,--quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Update account settings assignment AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b to a template version 2

ibmcloud iam account-settings-assignment-update AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b 2

ibmcloud iam account-settings-assignment-delete

Delete an account settings assignment. This action removes any resources that this assignment creates :

ibmcloud iam account-settings-assigment-delete ASSIGNMENT_ID [-q, --quiet]

Command options

-q, --quiet
Suppress verbose output.

Examples

Delete account settings assignment AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b

ibmcloud iam account-settings-assignment-delete AccountSettingsAssignment-63d65ed159ff463b8ec09ea77d22a05b