Context-based restrictions CLI plug-in
The IBM Cloud® context-based restrictions command line interface (CLI) provides extra capabilities for context-based restrictions. You can use this CLI plug-in to manage access restrictions for IBM Cloud® resources based on the network location of access requests.
Before you begin
- Install the IBM Cloud CLI. For more information, see Getting started with the IBM Cloud CLI. The prefix for running commands by using the IBM Cloud CLI is
ibmcloud. - Before you run commands, log in to IBM Cloud with the
ibmcloud logincommand to generate an access token and authenticate your session.
Installing the context-based restrictions plug-in
To install the context-based restrictions plug-in, run the following command:
ibmcloud plugin install cbr
In the command line, you are notified when updates to the ibmcloud CLI and cbr CLI plug-in are available. Ensure that you keep your CLI up to date so that you can use all the available commands and flags.
If you want to view the current version of your cbr CLI plug-in, run ibmcloud plugin list.
Zones
Operations on network zones.
ibmcloud cbr zone-create
This operation creates a network zone for the specified account.
ibmcloud cbr zone-create [--name NAME] [--description DESCRIPTION] [--addresses ADDRESSES] [--excluded EXCLUDED] [--vpc VPC] [--service-ref SERVICE-REF] [--file FILE]
Example
ibmcloud cbr zone-create --name example-zone --description "Example zone description" --addresses 192.0.2.1,3ffe:1900:fe21:4545::,192.2.3.5-192.2.3.10,3ffe:1900:fe21:4547::-3ffe:1900:fe21:6767:
ibmcloud cbr zone-create --name example-zone-with-service-ref --service-ref service_name=kms
ibmcloud cbr zone-create --name example-zone-with-vpc --vpc crn:v1:staging:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r123-abc456de-f789-abc1-23de-f456abc789ab
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 4
excluded_count 0
name test
account_id 0123456789
description
addresses <Array>
excluded -
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:20:25.000Z
last_modified_by_id iam-ServiceId-0123456789
Command options
--name(string)- The name of the zone.
--description(string)- The description of the zone.
--addresses(string)- The list of addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma-delimited format. IPv4 and IPv6 are supported. --excluded(string)- The list of excluded addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma-delimited format. --service-ref(string)- The service refs in the zone. Input in the form
service_name=VALUE,service_name=VALUE,.... - To find a list of available service refs, run the
ibmcloud cbr service-ref-targetscommand. --vpc(string)- The VPCs allowed in the zone. Input in the form
value,value,.... --file(string)- The supplied file is used to create the zone. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the zone create API. For more information, see the Context-based restrictions API.
ibmcloud cbr zones
This operation lists network zones in the specified account.
ibmcloud cbr zones [--name NAME] [--sort SORT]
Example
ibmcloud cbr zones
Example output
id name address_count
9adc34f2867a43452a517b3c2de78b95 test 4
12ab34cd56ef78ab90cd12ef34ab56cd example 2
Command options
--name(string)- The name of the zone.
--sort(string)- Sorts results by using a valid sort field. To learn more, see Sorting.
ibmcloud cbr zone
This operation retrieves the network zone that is identified by the specified zone ID.
ibmcloud cbr zone ZONE-ID
Example
ibmcloud cbr zone 9adc34f2867a43452a517b3c2de78b95
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 4
excluded_count 0
name test
account_id 0123456789
description
addresses <Array>
excluded -
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:20:25.000Z
last_modified_by_id iam-ServiceId-0123456789
ibmcloud cbr zone-update
This operation replaces the network zone that is identified by the specified zone ID. Partial updates are not supported and the entire network zone object is replaced.
ibmcloud cbr zone-update ZONE-ID [--name NAME] [--description DESCRIPTION] [--addresses ADDRESSES] [--excluded EXCLUDED] [--vpc VPC] [--service-ref SERVICE-REF] [--file FILE]
Example
ibmcloud cbr zone-update 9adc34f2867a43452a517b3c2de78b95 --name 'Example Zone Name' --addresses 166.22.23.0-166.22.23.108,3ffe:1900:fe21:4545:: --excluded 166.22.23.100 --excluded 166.22.23.100
ibmcloud cbr zone-update 9adc34f2867a43452a517b3c2de78b95 --name example-zone-with-service-ref --service-ref service_name=kms
ibmcloud cbr zone-update 9adc34f2867a43452a517b3c2de78b95 --name example-zone-with-vpc --vpc crn:v1:staging:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r123-abc456de-f789-abc1-23de-f456abc789ab
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 2
excluded_count 0
name test update
account_id 0123456789
description
addresses <Array>
excluded -
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:29:19.000Z
last_modified_by_id iam-ServiceId-0123456789
Command options
--name(string)- The name of the zone.
--description(string)- The description of the zone.
--addresses(string)- The list of addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma-delimited format. IPv4 and IPv6 are supported. --excluded(string)- The list of excluded addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma-delimited format. --service-ref(string)- The service refs in the zone. Input in the form
name=value,name=value,.... --vpc(string)- The VPCs allowed in the zone. Input in the form
value,value,.... --file(string)- The supplied file is used to update the zone. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the zone update API. For more information, see the Context-based restrictions API.
ibmcloud cbr zone-delete
This operation deletes the network zone that is identified by the specified zone ID.
ibmcloud cbr zone-delete ZONE-ID
Example
ibmcloud cbr zone-delete 65810ac762004f22ac19f8f8edf70a34
ibmcloud cbr service-ref-targets
This operation lists all of the available service reference targets.
ibmcloud cbr service-ref-targets [--type TYPE]
Example
ibmcloud cbr service-ref-targets
Example output
service_name service_type locations
ace - -
apprapp - na, us, dal
apprapp-dev - na, us, dal
cloud-object-storage - na, us, sjc
cloudantnosqldb - ap, au, syd, +27
codeengine - ap, au, syd, +6
compliance platform_service na, us, dal, +1
containers-kubernetes - na, us, dal
directlink - -
event-notifications - na, us, dal
globalcatalog-collection - -
iam-groups platform_service -
is - eu, es, mad, +4
kms - -
logdna - ap, au, syd, +17
logdnaat - ap, au, syd, +17
messagehub - eu, uk, lon, +3
messagehub-vnext-integration - eu, uk, lon, +3
schematics - eu, de, fra, +6
secrets-manager - -
server-protect - eu, es, mad, +4
sysdig-monitor - eu, uk, lon, +3
sysdig-secure - eu, uk, lon, +3
toolchain - ap, au, syd, +6
user-management platform_service -
Command options
--type(string)- Specifies the types of services to retrieve. The default value is
all. Allowable values are:all,platform_service.
ibmcloud cbr service-ref-target
This operation gets the service reference target for a specified service name.
ibmcloud cbr service-ref-target SERVICE-NAME
Example
ibmcloud cbr service-ref-target compliance
Example output
Service Name compliance
Service Type: platform_service
Locations:
Name Display Name Kind
na North America geography
us United States country
dal Dallas metro
wdc Washington DC metro
Rules
Operations on context-based restriction rules.
ibmcloud cbr rule-create
This operation creates a rule for the specified account.
ibmcloud cbr rule-create [--description DESCRIPTION] [--context-attributes CONTEXT-ATTRIBUTES] [--resource-attributes RESOURCE-ATTRIBUTES] [--region REGION] [--resource RESOURCE] [--resource-group-id RESOURCE-GROUP-ID] [--resource-type RESOURCE-TYPE] [--service-instance SERVICE-INSTANCE-GUID] [--service-name SERVICE-NAME] [--zone-id ZONE-ID] [--tags TAGS] [--enforcement-mode ENFORCEMENT-MODE] [--file FILE]
Example
ibmcloud cbr rule-create --description 'Example Rule Description' --service-name kms --context-attributes endpointType=private --zone-id 93de8d3f588ab2c457ff576c364d1145
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description test
operations <Nested Object>
contexts <Array>
resources <Array>
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:36:52.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
Command options
--description(string)- The description of the rule.
--context-attributes(string)- The context-attributes this rule applies to in the form of
name=value,name=value,.... --resource-attributes(string)- The resource-attributes this rule applies to in the form of
name=value,name=value,.... --region(string)- Shorthand for creating IBM Cloud resource attribute
region. For supported regions, runibmcloud regions. --resource(string)- Shorthand for creating IBM Cloud resource attribute
resource. --resource-group-id(string)- Shorthand for creating IBM Cloud resource attribute
resourceGroupId. --resource-type(string)- Shorthand for creating IBM Cloud resource attribute
resourceType. --service-instance SERVICE_INSTANCE_GUID(string)- GUID of the service instance. This option is exclusive with the --file option.
--service-name(string)- Shorthand for creating IBM Cloud resource attribute
serviceName. --zone-id(string)- Shorthand for adding context attribute
networkZoneIdto the first context. --tags(string)- The access tags of the resource in the form of
name:value,name:value,.... --enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more information about enforcement, see Rule enforcement. --file(string)- The supplied file is used to create the rule. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the rule create API. For more information, see the Context-based restrictions API.
ibmcloud cbr rules
This operation lists rules in the specified account.
ibmcloud cbr rules [--enforcement-mode ENFORCEMENT-MODE] [--region REGION] [--resource RESOURCE] [--resource-type RESOURCE-TYPE] [--service-instance SERVICE-INSTANCE-GUID] [--service-name SERVICE-NAME] [--zone-id ZONE-ID] [--sort SORT]
Example
ibmcloud cbr rules
Example output
id description enforcement_mode
2c54cb0fefb0050c88f72d68c400fbec test enabled
a4135a90bb507bf6d96cf4c6f009d151 example enabled
Command options
--enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more information about enforcement, see Rule enforcement. --region(string)- The
regionresource attribute. --resource(string)- The
resourceresource attribute. --resource-type(string)- The
resourceTyperesource attribute. --service-instance SERVICE_INSTANCE_GUID(string)- GUID of the service instance. This option is exclusive with the --file option.
--service-name(string)- The
serviceNameresource attribute. --zone-id(string)- The globally unique ID of the zone.
--sort(string)- Sorts results by using a valid sort field. To learn more, see Sorting.
ibmcloud cbr rule
This operation retrieves the rule that is identified by the specified rule ID.
ibmcloud cbr rule RULE-ID
Example
ibmcloud cbr rule 30fd58c9b75f40e854b89c432318b4a2
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description test
operations <Nested Object>
contexts <Array>
resources <Array>
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:36:52.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
ibmcloud cbr rule-update
This operation replaces the rule that is identified by the specified rule ID. Partial updates are not supported and the entire rule object is replaced.
ibmcloud cbr rule-update RULE-ID [--description DESCRIPTION] [--context-attributes CONTEXT-ATTRIBUTES] [--resource-attributes RESOURCE-ATTRIBUTES] [--region REGION] [--resource RESOURCE] [--resource-group-id RESOURCE-GROUP-ID] [--resource-type RESOURCE-TYPE] [--service-instance SERVICE-INSTANCE-GUID] [--service-name SERVICE-NAME] [--zone-id ZONE-ID] [--tags TAGS] [--enforcement-mode ENFORCEMENT-MODE] [--file FILE]
Example
ibmcloud cbr rule-update 30fd58c9b75f40e854b89c432318b4a2 --description 'Example rule description' --service-name kms --context-attributes endpointType=private --zone-id 93de8d3f588ab2c457ff576c364d1145
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description updated
operations <Nested Object>
contexts <Array>
resources <Array>
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:41:18.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
Command options
--description(string)- The description of the rule.
--context-attributes(string)- The context-attributes this rule applies to in the form of
name=value,name=value,.... --resource-attributes(string)- The resource-attributes this rule applies to in the form of
name=value,name=value,.... --region(string)- Shorthand for creating IBM Cloud resource attribute
region. For supported regions, runibmcloud regions. --resource(string)- Shorthand for creating IBM Cloud resource attribute
resource. --resource-group-id(string)- Shorthand for creating IBM Cloud resource attribute
resourceGroupId. --resource-type(string)- Shorthand for creating IBM Cloud resource attribute
resourceType. --service-instance SERVICE_INSTANCE_GUID(string)- GUID of the service instance. This option is exclusive with the --file option.
--service-name(string)- Shorthand for creating IBM Cloud resource attribute
serviceName. --zone-id(string)- Shorthand for adding context attribute
networkZoneIdto the first context. --tags(string)- The access tags of the resource in the form of
name:value,name:value,.... --enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more information about enforcement, see Rule enforcement. --file(string)- The supplied file is used to update the rule. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the rule update API. For more information, see the Context-based restrictions API.
ibmcloud cbr rule-delete
This operation deletes the rule that is identified by the specified rule ID.
ibmcloud cbr rule-delete RULE-ID
Example
ibmcloud cbr rule-delete 30fd58c9b75f40e854b89c432318b4a2