Restricting users from creating API keys

Enabling the API key creation setting

To turn on the setting to restrict users from creating user API keys, you must have the following assigned access:

• An IAM policy with the Administrator, Operator, or Editor role on the IAM Identity Service.

If you turn on the API key creation setting, users in your account require specific access to create API keys, including the account owner. To restrict who can create API keys, use the following steps:

Enabling this setting affects only the creation of user API keys. It does not affect API keys for service IDs.

1. In the IBM Cloud console, go to Manage > Access (IAM), and select Settings.
2. In the Account section, enable the API key creation setting.
3. Click Yes to confirm.

Now that the setting is enabled to restrict users from creating API keys, you can assign the required access to enable specific users to continue creating user API keys. Remember, the account owner is also required to be assigned this explicit access.

Enabling the API key creation setting by using Terraform

If you turn on the API key creation setting, users in your account require specific access to create API keys, including the account owner.

To turn on the setting to restrict users from creating user API keys, you must have the following assigned access:

• An IAM policy with the Administrator, Operator, or Editor role on the IAM Identity Service.

Before you can set limits for login sessions by using Terraform, make sure that you have completed the following:

• Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
• Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

To restrict who can create API keys, use the following steps:

Enabling this setting affects only the creation of user API keys. It does not affect API keys for service IDs.

1. Create an argument in your main.tf file. The following example enables the API key creation setting by using the ibm_iam_account_settings and iam_account_settings_instance resources.

2. Defines whether or not creating platform API keys is access controlled. Supported valid values are:

   • RESTRICTED - to apply access control
   • NOT_RESTRICTED - to remove access control
   • NOT_SET - to unset a previous set value.

   resource "ibm_iam_account_settings" "iam_account_settings_instance" {
   restrict_create_platform_apikey  = "RESTRICTED"
   }
   

3. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

   1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan
      

   2. Run terraform apply to create the resources that are defined in the plan.

      terraform apply
      

For more information, see the Terraform documentation.

Now that the setting is enabled to restrict users from creating API keys, you can assign the required access to enable specific users to continue creating user API keys. Remember, the account owner is also required to be assigned this explicit access.

Assigning access to create API keys with restrictions enabled

If the API key creation setting is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys.

The quickest way to assign a group of users the required access for creating API keys is to create an access group and assign the group the required role. For more information about assigning access policies, see Setting up access groups.