Assigning access to an individual collection
This tutorial shows you how to assign access roles for Users against Collections, by creating and modifying IAM access policies.
Before you begin
If you are already managing instances of App Configuration or IAM, you do not need to create more. However, as this tutorial will modify and configure the instance we are working with, make sure that any accounts or services are not being used in a production environment.
For this tutorial, you need:
- An IBM Cloud® Platform account
- An instance of IBM Cloud App Configuration
- A Collection to which a user should be constrained
- To complete the steps to manage access to the service, you should be the owner of the App Configuration instance. In other words, your user ID needs administrator platform permissions to use the IAM service. You may have to contact or work with an account administrator.
Grant Reader access to App Configuration instance
To enable access to a specific collection in an instance, the user must at least have Reader level privileges to the particular App Configuration instance.
- Navigate to IAM by following the Manage drop-down menu, and selecting Access (IAM). Follow the Users link in the navigation menu, and select the user requiring limited access.
- Click on Access tab. Click on the Assign access button. Select the Access policy tile and select App Configuration. Click Next.
- Select the radio toggle next to Specific resources. Select Service Instance from the Attribute type drop-down menu. Select the App Configuration instance which you want to assign access.
- In the Roles and access section, select the role Reader. You'll also need the Platform Viewer role, if you don't already have it, in order to view the UI.
- Click Next and include conditions if needed which is optional.
- Click Add.
Grant Manager access to specific Collection
We'll repeat the step 1, but this time we'll use Collection ID resource attribute and select Manager role.
- Click on the Assign access button. Select the Access policy tile and select App Configuration.
- Select the radio toggle next to Specific resources. Select Service Instance from the Attribute type drop-down menu. Select the App Configuration instance which you want to assign access.
- Add another Attribute type by clicking on Add a condition button. Select Collection ID from the drop-down menu. Type in the ID of the collection that the user should be able to access in the Value field. In this case, it's a collection called
devops
. - In the Roles and access section, select the role Manager.
- Click Next and include conditions if needed which is optional.
- Click Add.
Review access policies
At this stage, you should have two access policies created as shown below. One access policy with Reader & Viewer, another with Manager role.
Verify that it works
When this App Configuration instance is accessed by shared user, only those Feature flags & Properties which belong to Collection that is given Manager access are editable irrespective of the current Environment. In other words, these Feature flags & Properties are editable under any environment. Rest of the Feature flags & Properties which belong to different Collections are non-editable.
When shared user tries to perform any action such as toggle or update on feature flags that belong to different collection using API/CLI/Terrform, the action is denied with 401 status code as shown below.
{
"status_code": 401,
"message": "unauthorized: Looks like you do not have access to requested resource or action is not permitted for the corresponding IAM role. If this is a shared resource, please check if access policies are rightly created.",
"trace": "appconfig-txid-a560b9c5a4dfe218eafbde5419e1651f"
}
Next steps
Congratulations, you've just set up policies that limit access to a single collection.