Managing Cloud Shell settings for account users
IBM® Cloud Shell settings are managed in the IBM Cloud® console. As an account owner or Cloud Shell administrator, you can control whether users in an account can access Cloud Shell, and you can select the location availability for an account.
IBM Cloud Shell is a cloud-based shell workspace that you can access through your browser. Cloud Shell is preconfigured with the full IBM Cloud CLI, plug-ins, and tools that you can use to manage apps, resources, and infrastructure. For more information, see Getting started with IBM Cloud Shell.
Before you begin
Only account owners, users assigned the Administrator role for the Cloud Shell account management service, or users assigned the Administrator role on all account management services can change the Cloud Shell settings. To assign this access to a user in your account, complete the following steps:
- In the IBM Cloud console, go to Manage > Access (IAM), and select Users.
- On the Users page, select the user that you want to assign the role to.
- On the individual user's page, click the Access tab, and then click Assign access.
- Select the service IBM Cloud Shell.
- For the role, select Administrator, and then click Review. For more information, see IAM roles.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
For more information, see the IAM roles and actions for the IBM Cloud Shell account management service.
Enabling or disabling Cloud Shell for an account
By default, Cloud Shell is enabled for an account. As an account owner or user with the correct access, you can enable or disable Cloud Shell for users in the account.
When the Cloud Shell availability setting is enabled, Cloud Shell is available to all users in the account. If the setting is disabled, no users in the account can access Cloud Shell. The IBM Cloud Shell icon is disabled in the IBM Cloud console.
To enable or disable Cloud Shell for the account, complete the following steps:
- In the IBM Cloud console, go to Manage > Account, and select IBM Cloud Shell settings.
- Select the Enabled or Disabled toggle, and then click Save changes.
Enabling or disabling Cloud Shell locations for an account
By default, all locations for the account are enabled, and the nearest available location is selected. Users are routed to the nearest available location, such as Dallas (us-south) or Frankfurt (eu-de).
As an account owner or user with the correct access, you can select whether Cloud Shell is enabled only in specific locations for the account. To select Cloud Shell locations for the account, complete the following steps:
- In the IBM Cloud console, go to Manage > Account, and select IBM Cloud Shell settings.
- Ensure that Cloud Shell Availability is enabled.
- Select the toggle for each location that you want to enable or disable for the account.
- Optional: Select Enable new locations by default to automatically enable new locations when they are available. If this option is not selected, you must select the toggle for each new location that you want to enable as it becomes available.
- Click Save changes.
Enabling or disabling Cloud Shell features for an account
Account owners or users with Cloud Shell administrator access can enable or disable Cloud Shell features for an account. By default, all features for the account are enabled. The feature settings apply only to the enabled Cloud Shell locations.
To enable or disable Cloud Shell features for the account, complete the following steps:
- In the IBM Cloud console, go to Manage > Account, and select IBM Cloud Shell settings.
- Select the toggle for the feature that you want to enable or disable for the account. For example, File upload and download and Web preview.
- Optional: Select Enable new features by default to automatically allow new features to be enabled for the account when they are available. If this option is not selected, you must select the toggle for each new feature that you want to enable as it becomes available.
- Click Save changes.
Assigning access to Cloud Shell and its features at a user level
An account administrator can grant specific users access to Cloud Shell and its features, such as File upload and download and Web preview, even if Cloud Shell settings are disabled at the account level.
The IAM policy can be applied to specific locations with different roles. The roles are used to control the access of specific Cloud Shell features.
The IAM policy takes priority and is active only if the Cloud Shell account setting is disabled. If the Cloud Shell account setting is enabled and the IAM policy is set, the IAM policy has no effect. In that scenario, all users in account can access Cloud Shell.
To assign Cloud Shell access to a particular user, complete the following steps:
- In the IBM Cloud console, go to Manage > Access (IAM), and select Users.
- On the Users page, select the user that you want to assign the role to.
- On the individual user's page, click the Access polcies tab, and then click Assign access.
- For the service, select IBM Cloud Shell. Then, click Next.
- Scope the access to Specific resources. Select a location to enable the features in. Then, click Next.
- Select one or more roles to assign to the user. For example, if you want to enable the File Upload and File Download features for the user, select the File Manager role. For more information, see IAM roles.
- Click Review.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
When the user logs in to their IBM Cloud account, the user now has access to Cloud Shell and the file management features within Cloud Shell.