IBM Cloud Docs
Managing trusted profiles

Managing trusted profiles

Manage trusted profiles by updating the permissions or redefining trust relationships at any time. You can also remove trusted profiles, so compute resources and federated users are unlinked from the profile and can no longer apply the trusted profile identity.

When you remove trusted profiles, you revoke all active sessions. Users are immediately logged out and the removed profiles are no longer available to connect to the target account. API calls that use access tokens might be successful until the access token expires.

You can use Activity Tracker to monitor which federated users and compute resources apply a trusted profile. For more information, see Monitoring login sessions for trusted profiles.

Before you begin

  • You must be assigned the administrator, operator, or editor role within the account, or on the IAM Identity Service to manage trusted profiles.

Updating trusted profiles by using the console

To update trusted profiles, go to Manage > Access (IAM) in the IBM Cloud console, and select Trusted profiles. Then, select the name of the trusted profile that you want to update.

Updating the description of your profile

Click the name of the trusted profile that you want to update, and select Actions > Edit. Enter the new name and description, and click Apply.

Redefining the trust relationship

After the trusted profile is created, you can build trust with both federated users and compute resources in the same trusted profile.

  1. Click the name of the trusted profile that you want to update.
  2. Click Add to add a condition to the existing trust relationship. To edit an existing condition, click the Actions icon Actions icon > Edit next to the trust relationship you want to update.
    • Click Add a condition and repeat as needed to add more conditions.
    • To remove a condition, click the Remove icon Remove icon next to the existing condition.
  3. Click Save to apply all added or removed conditions to your trusted profile.

Assigning access

You can assign access to a trusted profile by assigning individual access policies, or by adding the trusted profiles to an existing access group.

Assigning access policies

  1. Click the name of the trusted profile that you want to update.
  2. Click Access.
  3. To edit existing access policies, click the Actions icon Actions icon > Edit next to the access policy you want to update.
  4. To assign new access policies, click Assign.

You can select your resources based on resource attributes and assign any combination of roles.

Assigning access groups

  1. Click the name of the trusted profile that you want to update.
  2. Click Access
  3. To edit existing access group membership, click the Actions icon Actions icon > Edit next to the access group you want to update.
  4. To add the trusted profile to a new access group, click Assign group.
  5. Select the access groups to which you want to add the trusted profile and click Add. You can assign users to only the access groups that you have access to manage.
  6. Click Assign.

Updating session duration

  1. Click the name of the trusted profile that you want to update.
  2. In the federated users section, click the Actions icon Actions icon for the identity provider (IdP) that you want to update.
  3. Select Edit
  4. In hours, enter how long federated users can use this profile before their session expires.
  5. Click Save.

Updating trusted profiles by using the CLI

You can update a trusted profile from your account by using the CLI. For more information, see the IBM Cloud CLI.

  1. Log in, and select the account.

    ibmcloud login
    
  2. Check the list of trusted profiles for the current account and select the one that you want to update. The following command shows the list of trusted profiles for your IBM Cloud account:

    ibmcloud iam trusted-profiles
    
  3. If you'd like to check the details of a trusted profile, use the ibmcloud iam trusted-profile command. Specify the ID or the name of the trusted profile that you would like to check.

    ibmcloud iam trusted-profile <IDorName>
    
  4. Run the following command to get an overview about the different options.

    ibmcloud iam trusted-profile-update
    
  5. Update the trusted profile by running the following command. Specify the ID or the name of the trusted profile that you would like to update and rename.

    ibmcloud iam trusted-profile-update <IDorName> -n <NewName> ...
    

For example, the following command updates the name Test trusted profile to New test trusted profile.

ibmcloud iam trusted-profile-update <Test trusted profile> -n <New test trusted profile> ...

Assigning access policies

You can assign new access policies to your trusted profile by using the CLI.

  1. Log in, and select the account.

    ibmcloud login
    
  2. Check the list of trusted profiles for the current account and select the one that you want to assign new access policies to. The following command shows the list of trusted profiles for your IBM Cloud account:

    ibmcloud iam trusted-profiles
    
  3. Assign new access policies by running the following command:

    ibmcloud iam trusted-profile-policy-create
    

To check the details of the access policy for a trusted profile, run the following command:

ibmcloud iam trusted-profile-policy

For checking the list of access policies for a trusted profile, you can use the ibmcloud iam trusted-profile-policies command:

ibmcloud iam trusted-profile-policies

You can easily update existing access policies by running the ibmcloud iam trusted-profile-policy-update command:

ibmcloud iam trusted-profile-policy-update

If you'd like to remove an access policy for a trusted profile, you can use the ibmcloud iam trusted-profile-policy-delete command:

ibmcloud iam trusted-profile-policy-delete

Updating trusted profiles by using the API

For more information, see the IAM Identity Services API.

Updating the name or description

To update the name or description of an existing trusted profile, call the following. Enter your updated name and description attributes.

curl -X PUT 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID' -H 'Authorization: Bearer TOKEN' -H 'If-Match: <value of etag header from GET request>' -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{
  "name": "My Profile updated",
  "description": "My updated desc"
}'

Updating the conditions of the trust relationship

After the trusted profile is created, you can build trust with both federated users and compute resources in the same trusted profile.

curl -X PUT 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID/rules/CLAIM_RULE_ID'
-H 'Authorization: Bearer TOKEN'
-H 'If-Match: <value of etag header from GET request>'
-H 'Content-Type: application/json'
-H 'Accept: application/json'
-d '{
   "type": "Profile-SAML",
   "realm_name": "https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20",
   "expiration": 10000,
   "conditions": [
  {
"claim": "groups",
"operator": "CONTAINS",
"value": "\"cloud-docs-ops\""
  }
  ]
}'

Assigning access policies

To assign new access policies, call the following:

curl -X PUT 'https://iam.cloud.ibm.com/v1/policies'
-H 'Authorization: Bearer $TOKEN'
-H 'Content-Type: application/json'
-H 'If-Match: $ETAG'
-d '{
"type": "access",
"description": "Viewer role for for all instances of SERVICE_NAME in the account.",
"subjects": [
   {
      "attributes": [
      {
         "name": "iam_id",
         "value": "IBMid-123453user"
      }
      ]
   }'
],
"roles":[
   {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
   }
],
"resources":[
   {
      "attributes": [
      {
         "name": "accountId",
         "value": "$ACCOUNT_ID"
      },
      {
         "name": "serviceName",
         "value": "$SERVICE_NAME"
      }
      ]
   }
]
}'

For more information, see the IAM Policy Management API.

Updating session duration

To update the session duration for federated users, call the following:

curl -X PUT 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID/rules/CLAIM_RULE_ID'
-H 'Authorization: Bearer TOKEN'
-H 'If-Match: <value of etag header from GET request>'
-H 'Content-Type: application/json'
-H 'Accept: application/json'
-d '{
   "type": "Profile-SAML",
   "realm_name": "https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20",
   "expiration": 10000,
   "conditions": [
  {
"claim": "groups",
"operator": "CONTAINS",
"value": "\"cloud-docs-ops\""
  }
  ]
}'

Removing trusted profiles by using the console

When you remove trusted profiles, compute resources and federated users are unlinked from the profile and can no longer apply the trusted profile identity. To remove a trusted profile, complete the following steps:

  1. To see the full list of trusted profiles in your account, go to Manage > Access (IAM) in the IBM Cloud console, and select Trusted profiles.
  2. Click the Actions icon Actions icon next to the trusted profile that you want to remove, and select Remove.

Removing trusted profiles by using the CLI

You can remove a trusted profile from your account by using the CLI. For more information, see the IBM Cloud CLI.

  1. Log in, and select the account.

    ibmcloud login
    
  2. Check the list of trusted profiles for the current account and select the one that you want to remove. The following command shows the list of trusted profiles for your IBM Cloud account:

    ibmcloud iam trusted-profiles
    
  3. Remove the trusted profile from your account by running the following command. Specify the ID or the name of the trusted profile that you would like to remove.

    ibmcloud iam trusted-profile-delete <IDorName>
    

For example, the following command removes a trusted profile that is named Test trusted profile.

ibmcloud iam trusted-profile-delete <Test trusted profile>

Removing trusted profiles by using the API

To remove a trusted profile from your account, call the following:

curl -X DELETE 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID' -H 'Authorization: Bearer TOKEN'

For more information, see the IAM Identity Services API.