Context-based restrictions CLI plug-in
The IBM Cloud® context-based restrictions command line interface (CLI) provides extra capabilities for context-based restrictions. You can use this CLI plug-in to manage access restrictions for IBM Cloud® resources based on the network location of access requests.
Before you begin
- Install the IBM Cloud CLI. For more information, see Getting started with the IBM Cloud CLI. The prefix for running commands by using the IBM Cloud CLI is
ibmcloud. - Before you run commands, log in to IBM Cloud with the
ibmcloud logincommand to generate an access token and authenticate your session.
Installing the context-based restrictions plug-in
To install the context-based restrictions plug-in, run the following command:
ibmcloud plugin install cbr
In the command line, you are notified when updates to the ibmcloud CLI and cbr CLI plug-in are available. Ensure that you keep your CLI up to date so that you can use all the available commands and flags.
If you want to view the current version of your cbr CLI plug-in, run ibmcloud plugin list.
Zones
Operations on network zones.
ibmcloud cbr zone-create
This operation creates a network zone for the specified account.
ibmcloud cbr zone-create [--name NAME] [--description DESCRIPTION] [--addresses ADDRESSES] [--vpc VPC] [--service-ref SERVICEREF] [--excluded EXCLUDED] [--empty-address-list] [--file FILE]
Example
ibmcloud cbr zone-create --name example-zone --description "Example zone description" --addresses 192.0.2.1,3ffe:1900:fe21:4545::,192.2.3.5-192.2.3.10,3ffe:1900:fe21:4547::-3ffe:1900:fe21:6767:
ibmcloud cbr zone-create --name example-zone-with-service-ref --service-ref service_name=kms,location=us-south
ibmcloud cbr zone-create --name example-zone-with-vpc --vpc crn:v1:staging:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r123-abc456de-f789-abc1-23de-f456abc789ab
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 7
excluded_count 0
name test
account_id 0123456789
description
Addresses 1 IP Address, 1 IP Range, 1 Subnet, 2 VPCs, 2 Service References
Excluded No addresses
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:20:25.000Z
last_modified_by_id iam-ServiceId-0123456789
Command options
--name(string)- The name of the zone.
--description(string)- The description of the zone.
--addresses(string)- The list of addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma delimited format. IPv4 and IPv6 are supported. --service-ref(string)- The service refs in the zone. Input in the form
service_name=VALUE,service_name=VALUE,.... - To find a list of available service refs, run the
ibmcloud cbr service-ref-targetscommand. --vpc(string)- The VPCs allowed in the zone. Input in the form
value,value,.... --excluded(string)- The list of excluded addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma delimited format. --empty-address-list(bool)- Explicitly specifies that the zone will have no addresses. This cannot be used in tandem with the
addresses,service-ref,vpc, orexcludedflags. --file(string)- The supplied file is used to create the zone. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the zone create API. For more information, see the Context-based restrictions API.
ibmcloud cbr zones
This operation lists network zones in the specified account.
ibmcloud cbr zones [--name NAME] [--sort SORT]
Example
ibmcloud cbr zones
Example output
id name address_count excluded_count
9adc34f2867a43452a517b3c2de78b95 test 7 0
12ab34cd56ef78ab90cd12ef34ab56cd example 2 0
Command options
--name(string)- The name of the zone.
--sort(string)- Sorts results by using a valid sort field. To learn more, see Sorting.
ibmcloud cbr zone
This operation retrieves the network zone that is identified by the specified zone ID.
ibmcloud cbr zone ZONE-ID
Example
ibmcloud cbr zone 9adc34f2867a43452a517b3c2de78b95
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 7
excluded_count 0
name test
account_id 0123456789
description
Addresses 1 IP Address, 1 IP Range, 1 Subnet, 2 VPCs, 2 Service References
Excluded No addresses
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:20:25.000Z
last_modified_by_id iam-ServiceId-0123456789
ibmcloud cbr zone-update
This operation replaces the network zone that is identified by the specified zone ID. Partial updates are not supported and the entire network zone object is replaced.
ibmcloud cbr zone-update ZONE-ID [--name NAME] [--description DESCRIPTION] [--addresses ADDRESSES] [--vpc VPC] [--service-ref SERVICEREF] [--excluded EXCLUDED] [--empty-address-list] [--file FILE]
Example
ibmcloud cbr zone-update 9adc34f2867a43452a517b3c2de78b95 --name 'Example Zone Name' --addresses 166.22.23.0-166.22.23.108,3ffe:1900:fe21:4545:: --excluded 166.22.23.100
ibmcloud cbr zone-update 9adc34f2867a43452a517b3c2de78b95 --name example-zone-with-service-ref --service-ref service_name=kms,location=us-south
ibmcloud cbr zone-update 9adc34f2867a43452a517b3c2de78b95 --name example-zone-with-vpc --vpc crn:v1:staging:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r123-abc456de-f789-abc1-23de-f456abc789ab
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 7
excluded_count 0
name test update
account_id 0123456789
description
Addresses 1 IP Address, 1 IP Range, 1 Subnet, 2 VPCs, 2 Service References
Excluded No addresses
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:29:19.000Z
last_modified_by_id iam-ServiceId-0123456789
Command options
--name(string)- The name of the zone.
--description(string)- The description of the zone.
--addresses(string)- The list of addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma delimited format. IPv4 and IPv6 are supported. --service-ref(string)- The service refs in the zone. Input in the form
name=value,name=value,.... --vpc(string)- The VPCs allowed in the zone. Input in the form
value,value,.... --excluded(string)- The list of excluded addresses in the zone. Only addresses of type
ipAddress,ipRange, andsubnetare allowed in a comma delimited format. --empty-address-list(bool)- Explicitly specifies that the zone will have no addresses. This cannot be used in tandem with the
addresses,service-ref,vpc, orexcludedflags. --file(string)- The supplied file is used to update the zone. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the zone update API. For more information, see the Context-based restrictions API.
ibmcloud cbr zone-patch
This operation performs a partial update of the network zone that is identified by the specified zone ID.
ibmcloud cbr zone-patch ZONE-ID [--name NAME] [--description DESCRIPTION]
Example
ibmcloud cbr zone-patch 9adc34f2867a43452a517b3c2de78b95 --name 'Example Zone Name' --description updated
Example output
id 9adc34f2867a43452a517b3c2de78b95
crn crn:v1:bluemix:public:cbr:global:a/0123456789::zone:9adc34f2867a43452a517b3c2de78b95
address_count 7
excluded_count 0
name test update
account_id 0123456789
description updated
Addresses 1 IP Address, 1 IP Range, 1 Subnet, 2 VPCs, 2 Service References
Excluded No addresses
href https://cbr.cloud.ibm.com/v1/zones/9adc34f2867a43452a517b3c2de78b95
created_at 2024-03-06T22:20:25.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-06T22:29:19.000Z
last_modified_by_id iam-ServiceId-0123456789
Command options
--name(string)- The name of the zone.
--description(string)- The description of the zone.
ibmcloud cbr zone-delete
This operation deletes the network zone that is identified by the specified zone ID.
ibmcloud cbr zone-delete ZONE-ID
Example
ibmcloud cbr zone-delete 65810ac762004f22ac19f8f8edf70a34
ibmcloud cbr service-ref-targets
This operation lists all of the available service reference targets.
ibmcloud cbr service-ref-targets [--type TYPE]
Example
ibmcloud cbr service-ref-targets
Example output
service_name service_type locations
ace - -
apprapp - na, us, dal
apprapp-dev - na, us, dal
cloud-object-storage - na, us, sjc
cloudantnosqldb - ap, au, syd, +27
codeengine - ap, au, syd, +6
compliance platform_service na, us, dal, +1
containers-kubernetes - na, us, dal
directlink - -
event-notifications - na, us, dal
globalcatalog-collection - -
iam-groups platform_service -
is - eu, es, mad, +4
kms - -
logdna - ap, au, syd, +17
logdnaat - ap, au, syd, +17
messagehub - eu, uk, lon, +3
messagehub-vnext-integration - eu, uk, lon, +3
schematics - eu, de, fra, +6
secrets-manager - -
server-protect - eu, es, mad, +4
sysdig-monitor - eu, uk, lon, +3
sysdig-secure - eu, uk, lon, +3
toolchain - ap, au, syd, +6
user-management platform_service -
Command options
--type(string)- Specifies the types of services to retrieve. The default value is
all. Allowable values are:all,platform_service.
ibmcloud cbr service-ref-target
This operation gets the service reference target for a specified service name.
ibmcloud cbr service-ref-target SERVICE-NAME
Example
ibmcloud cbr service-ref-target compliance
Example output
Service Name compliance
Service Type: platform_service
Locations:
Name Display Name Kind
na North America geography
us United States country
dal Dallas metro
wdc Washington DC metro
Rules
Operations on context-based restriction rules.
ibmcloud cbr rule-create
This operation creates a rule for the specified account.
ibmcloud cbr rule-create [--description DESCRIPTION] [--resource-attributes RESOURCES] [--context-attributes CONTEXTS] [--api-types API-TYPES] [--enforcement-mode ENFORCEMENT-MODE] [--service-name SERVICE-NAME] [--service-group-id SERVICE-GROUP-ID] [--service-instance SERVICE-INSTANCE] [--region REGION] [--resource-type RESOURCE-TYPE] [--resource RESOURCE] [--resource-group-id RESOURCE-GROUP-ID] [--tags TAGS] [--zone-id ZONE-ID] [--empty-context-list] [--file FILE]
Example
ibmcloud cbr rule-create --description 'Example Rule Description' --service-name kms --context-attributes endpointType=private --zone-id 93de8d3f588ab2c457ff576c364d1145
ibmcloud cbr rule-create --service-name example-service --context-attributes mfa=LEVEL2,endpointType=public,networkZoneId=12ab34cd56ef78ab90cd12ef34ab56cd
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description test
operations 1 API Type
contexts 1 Context
resources
serviceInstance 1234567891234
serviceName cloud-object-storage
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:36:52.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
Command options
--description(string)- The description of the rule.
--resource-attributes(string)- The resource-attributes this rule applies to in the form of
name=value,name=value,.... --context-attributes(string)- The context-attributes this rule applies to in the form of
name=value,name=value,.... --api-types(string)- The APIs a rule applies to. For supported service API types, use the
api-typescommand on the resource. --enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more informaiton about enforcement, see Rule enforcement. --service-name(string)- Shorthand for creating IBM Cloud resource attribute
serviceName. --service-group-id(string)- The
service_group_idresource attribute. --service-instance(string)- GUID of the service instance. This option is exclusive with the --file option.
--region(string)- Shorthand for creating IBM Cloud resource attribute
region. For supported regions, runibmcloud regions. --resource-type(string)- Shorthand for creating IBM Cloud resource attribute
resourceType. --resource(string)- Shorthand for creating IBM Cloud resource attribute
resource. --resource-group-id(string)- Shorthand for creating IBM Cloud resource attribute
resourceGroupId. --tags(string)- The access tags of the resource in the form of
name:value,name:value,.... --zone-id(string)- Shorthand for adding context attribute
networkZoneIdto the first context. --empty-context-list(bool)- Explicitly specifies that the rule will have no contexts. This cannot be used in tandem with the
context-attributesorzone-idflags. --file(string)- The supplied file is used to create the rule. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the rule create API. For more information, see the Context-based restrictions API.
ibmcloud cbr rules
This operation lists rules in the specified account.
ibmcloud cbr rules [--enforcement-mode ENFORCEMENT-MODE] [--service-name SERVICE-NAME] [--service-group-id SERVICE-GROUP-ID] [--service-instance SERVICE-INSTANCE] [--region REGION] [--resource-type RESOURCE-TYPE] [--resource RESOURCE] [--zone-id ZONE-ID] [--sort SORT]
Example
ibmcloud cbr rules
Example output
id service_name enforcement description
2c54cb0fefb0050c88f72d68c400fbec cloud-object-storage enabled test
a4135a90bb507bf6d96cf4c6f009d151 kms disabled example
Command options
--enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more informaiton about enforcement, see Rule enforcement. --region(string)- The
regionresource attribute. --resource(string)- The
resourceresource attribute. --resource-type(string)- The
resourceTyperesource attribute. --service-instance(string)- The GUID of the service instance.
--service-name(string)- The
serviceNameresource attribute. --service-group-id(string)- The
service_group_idresource attribute. --zone-id(string)- The globally unique ID of the zone.
--sort(string)- Sorts results by using a valid sort field. To learn more, see Sorting.
ibmcloud cbr rule
This operation retrieves the rule that is identified by the specified rule ID.
ibmcloud cbr rule RULE-ID
Example
ibmcloud cbr rule 30fd58c9b75f40e854b89c432318b4a2
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description test
operations 1 API Type
contexts 1 Context
resources
serviceInstance 1234567891234
serviceName cloud-object-storage
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:36:52.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
ibmcloud cbr rule-update
This operation replaces the rule that is identified by the specified rule ID. Partial updates are not supported and the entire rule object is replaced.
ibmcloud cbr rule-update RULE-ID [--description DESCRIPTION] [--resource-attributes RESOURCES] [--context-attributes CONTEXTS] [--api-types API-TYPES] [--enforcement-mode ENFORCEMENT-MODE] [--service-name SERVICE-NAME] [--service-instance SERVICE-INSTANCE] [--region REGION] [--resource-type RESOURCE-TYPE] [--resource RESOURCE] [--resource-group-id RESOURCE-GROUP-ID] [--tags TAGS] [--zone-id ZONE-ID] [--empty-context-list] [--file FILE]
Example
ibmcloud cbr rule-update 30fd58c9b75f40e854b89c432318b4a2 --description 'Example rule description' --service-name kms --context-attributes endpointType=private --zone-id 93de8d3f588ab2c457ff576c364d1145
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description updated
operations 1 API Type
contexts 1 Context
resources
serviceInstance 1234567891234
serviceName cloud-object-storage
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:41:18.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
Command options
--description(string)- The description of the rule.
--resource-attributes(string)- The resource-attributes this rule applies to in the form of
name=value,name=value,.... --context-attributes(string)- The context-attributes this rule applies to in the form of
name=value,name=value,.... --api-types(string)- The APIs a rule applies to. For supported service API types, use the
api-typescommand on the resource. --enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more informaiton about enforcement, see Rule enforcement. --service-name(string)- Shorthand for creating IBM Cloud resource attribute
serviceName. --service-group-id(string)- The
service_group_idresource attribute. --service-instance(string)- GUID of the service instance. This option is exclusive with the --file option.
--region(string)- Shorthand for creating IBM Cloud resource attribute
region. For supported regions, runibmcloud regions. --resource-type(string)- Shorthand for creating IBM Cloud resource attribute
resourceType. --resource(string)- Shorthand for creating IBM Cloud resource attribute
resource. --resource-group-id(string)- Shorthand for creating IBM Cloud resource attribute
resourceGroupId. --tags(string)- The access tags of the resource in the form of
name:value,name:value,.... --zone-id(string)- Shorthand for adding context attribute
networkZoneIdto the first context. --empty-context-list(bool)- Explicitly specifies that the rule will have no contexts. This cannot be used in tandem with the
context-attributesorzone-idflags. --file(string)- The supplied file is used to update the rule. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the rule update API. For more information, see the Context-based restrictions API.
- The supplied file is used to create the rule. This flag is unique and cannot be used with other flags. The file needs to follow the JSON schema for the rule create API. For more information, see the Context-based restrictions API.
ibmcloud cbr rule-patch
This operation performas a partial update of the rule that is identified by the specified rule ID.
ibmcloud cbr rule-patch RULE-ID [--description DESCRIPTION] [--enforcement-mode ENFORCEMENT-MODE]
Example
ibmcloud cbr rule-patch 30fd58c9b75f40e854b89c432318b4a2 --description 'Example rule description' --enforcement-mode disabled
Example output
id 2c54cb0fefb0050c88f72d68c400fbec
crn crn:v1:bluemix:public:cbr:global:a/0123456789::rule:2c54cb0fefb0050c88f72d68c400fbec
description updated
operations 1 API Type
contexts 1 Context
resources
serviceInstance 1234567891234
serviceName cloud-object-storage
href https://cbr.cloud.ibm.com/v1/rules/2c54cb0fefb0050c88f72d68c400fbec
created_at 2024-03-07T15:36:52.000Z
created_by_id iam-ServiceId-0123456789
last_modified_at 2024-03-07T15:41:18.000Z
last_modified_by_id iam-ServiceId-0123456789
enforcement_mode enabled
Command options
--description(string)- The description of the rule.
--enforcement-mode(string)- How the rule is enforced. The CLI accepts the values
enabled(default),disabled, andreport. For more informaiton about enforcement, see Rule enforcement.
ibmcloud cbr rule-delete
This operation deletes the rule that is identified by the specified rule ID.
ibmcloud cbr rule-delete RULE-ID
Example
ibmcloud cbr rule-delete 30fd58c9b75f40e854b89c432318b4a2