IBM Cloud Docs
Protecting catalogs with context-based restrictions

Protecting catalogs with context-based restrictions

Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to catalogs (Catalog Management service) can be controlled with context-based restrictions and identity and access management (IAM) policies.

These restrictions work with traditional IAM policies, which are based on identity, to provide another layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.

Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions service, not Catalog Management. For more information, see Monitoring context-based restrictions.

Before you begin

Review the following access requirements:

  • A user must have the Administrator role on the Catalog Management service to create, update, or delete rules.
  • A user must also have either the Editor or Administrator role on the Context-based restrictions service to create, update, or delete network zones.
  • A user with the Viewer role on the Context-based restrictions service can add only network zones to a rule.

To get started protecting your catalogs with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.

How catalogs integrate with context-based restrictions

Protecting specific APIs

You can create context-based restrictions to protect the following APIs for the Catalog Management Service.

Service APIs
Target Service APIs to protect actions like sharing private catalogs and managing catalog settings.
Platform APIs
Target Platform APIs to protect create, update, and delete actions on your private catalogs. When a context-based restriction is protecting the Catalog Management Platform APIs, users must satisfy the rule to view the private catalogs that you specify.

Protecting specific resources

You can protect specific resources by scoping your rule to the available attributes for Catalog Management.

Catalog
Scope your rule to protect a specific private catalog. Users can view the catalog that you protect only if they satisfy your context rule.

Limitations

Context-based restrictions protect only the actions associated with the Catalog Management API. For more information, see IAM roles and actions. Actions that are associated with the following platform APIs are not protected by context-based restrictions. Reference the API docs for the specific action IDs.

Creating network zones

A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:

  • IP addresses, which include individual addresses, ranges, or subnets.
  • VPCs
  • Service references, which allow access from other IBM Cloud services.

Make sure to add Catalog Management to network zones for rules that target other IBM Cloud resources, or some operations in your workflow might fail.

Service references

Add the Catalog Management Service (globalcatalog-collection) to your network zones for rules created against the following services. This way, the two services can continue to communicate.

Secrets Manager
If you have a rule that protects Secrets Manager and you’re onboarding a product with Secrets Manager, add your IP address and the Catalog Management service to a network zone as a service reference.
Schematics
If you’re using a target account to validate a product and you have a rule protecting Schematics in the target account, add the Catalog Management service to a network zone as a service reference.

Similarly, if you have a rule that targets the Catalog Management Service, add the Schematics service as a service reference in the network zone.

IAM Identity
If you have a rule scoped to protect the entire IAM Identity service or scoped to the trusted profile that you use for validation, add the Catalog Management service to a network zone as a service reference so that the validation flow still works.

Make sure to add that network zone to your context-based restriction rule. This way, the two services can continue to communicate.

Example by using the console

By creating network zones, you establish a list of allowed locations where an access request originates. Add the Catalog Management service to that allowlist as a service reference. After you create a network zone, you can add it to a rule.

To create a network zone, complete the following steps:

  1. In the IBM Cloud console, click Manage > Context-based restrictions, and select Network zones.

  2. Click Create.

    Instead of creating a zone by using UI inputs, you can use the JSON code form to directly enter JSON to create a zone by clicking Enter as JSON code.

  3. Enter a unique name and a description. For example, "Catalog zone" and "Allow catalogs to interact with other services".

  4. Reference a service. Select the service type "IAM services" and then select the Catalog Management service. Click Add to associate the service's IP addresses with your network zone.

  5. Click Next to review your network zone.

  6. Click Create.

Example by using the CLI

By creating network zones, you establish a list of allowed locations where an access request originates. Add the Catalog Management service to that allowlist as a service reference. After you create a network zone, you can add it to a rule.

  1. Install the Context-based restrictions CLI plug-in by running the following command:

    ibmcloud plugin install cbr

  2. To create a network zone, use the cbr zone-create command.

    The following example creates a network zone with a service reference. For more information, see Service references.

    ibmcloud cbr zone-create --name CatalogZone --description "Allow catalogs to interact with other services" --service-ref service_name=globalcatalog-collection

    To find a list of available service references, run the ibmcloud cbr service-ref-targets command.

Example by using the API

By creating network zones, you establish a list of allowed locations where an access request originates. Add the Catalog Management service to that allowlist as a service reference. After you create a network zone, you can add it to a rule.

To create a network zone that includes the Catalog Management service, call the Context-based restrictions API as shown in the following example:

{
  "name": "Catalog zone",
  "description": "Allow catalogs to interact with other services",
  "addresses": [
    {
      "type": "serviceRef",
      "ref": {
        "service_name": "globalcatalog-collection"
      }
    }
  ]
}

AddressIPAddress ipAddressModel = new AddressIPAddress.Builder()
ServiceRefValue serviceRefValueModel = new ServiceRefValue.Builder()
  .accountId(accountID)
  .serviceName("globalcatalog-collection")
  .build();
AddressServiceRef serviceRefAddressModel = new AddressServiceRef.Builder()
  .type("serviceRef")
  .ref(serviceRefValueModel)
  .build();
CreateZoneOptions createZoneOptions = new CreateZoneOptions.Builder()
  .name("Catalog zone")
  .accountId(accountID)
  .description("Allow catalogs to interact with other services")
  .addresses(java.util.Arrays.asList(ipAddressModel, ipRangeAddressModel, subnetAddressModel, vpcAddressModel, serviceRefAddressModel))
  .excluded(java.util.Arrays.asList(excludedIPAddressModel))
  .build();

Response<Zone> response = contextBasedRestrictionsService.createZone(createZoneOptions).execute();
Zone zone = response.getResult();

System.out.println(zone);

// Request models needed by this operation.

// AddressServiceRef
const serviceRefAddressModel = {
  type: 'serviceRef',
  ref: {
    account_id: accountId,
    service_name: 'globalcatalog-collection',
  },
};

const params = {
  name: 'Catalog zone',
  accountId,
  addresses: [ipAddressModel, ipRangeAddressModel, subnetAddressModel, vpcAddressModel, serviceRefAddressModel],
  excluded: [excludedIPAddressModel],
  description: 'Allow catalogs to interact with other services',
};

try {
  const res = await contextBasedRestrictionsService.createZone(params);
  zoneId = res.result.id;
  zoneRev = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}

service_ref_address_model = {
  'type': 'serviceRef',
  'ref': {
    'account_id': account_id,
    'service_name': 'globalcatalog-collection',
  }
}

zone = context_based_restrictions_service.create_zone(
  name='catalog zone',
  account_id=account_id,
  addresses=[service_ref_address_model],
  description='allow catalogs to interact with other services',
).get_result()

print(json.dumps(zone, indent=2))

serviceRefAddressModel := &contextbasedrestrictionsv1.AddressServiceRef{
  Type: core.StringPtr("serviceRef"),
  Ref: &contextbasedrestrictionsv1.ServiceRefValue{
    AccountID:   core.StringPtr(accountID),
    ServiceName: core.StringPtr("globalcatalog-collection"),
  },

createZoneOptions := contextBasedRestrictionsService.NewCreateZoneOptions()
createZoneOptions.SetName("catalog zone")
createZoneOptions.SetAccountID(accountID)
createZoneOptions.SetDescription("allow catalogs to interact with other services")
createZoneOptions.SetAddresses([]contextbasedrestrictionsv1.AddressIntf{serviceRefAddressModel})

zone, response, err := contextBasedRestrictionsService.CreateZone(createZoneOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(zone, "", "  ")
fmt.Println(string(b))

To find a list of available service references, call the ListAvailableServicerefTargets method.

Creating network zones by using Terraform

By creating network zones, you establish a list of allowed locations where an access request originates. Add the Catalog Management service to that allowlist as a service reference. After you create a network zone, you can add it to a rule.

To create a network zone, use the Terraform resource cbr_zone.

  1. To install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform, follow the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.

  2. Create a Terraform configuration file that is named main.tf. In this file, you add the configuration to create a network zone by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

    The following example creates a network zone that allows a single IP address and explicitly excludes a single IP address.

    resource "ibm_cbr_zone" "cbr_zone" {
  account_id = "12ab34cd56ef78ab90cd12ef34ab56cd"
  addresses {
        type = "serviceRef"
        value = "globalcatalog-collection"
  }
  description = "allow catalogs to interact with other services"
  name = "catalog zone"
}