Assigning access to an individual environment

This tutorial shows you how to assign access roles for Users against Environments, by creating and modifying IAM access policies.

Before you begin

If you are already managing instances of App Configuration or IAM, you do not need to create more. However, as this tutorial will modify and configure the instance we are working with, make sure that any accounts or services are not being used in a production environment.

For this tutorial, you need:

An IBM Cloud® Platform account
An instance of IBM Cloud App Configuration
A Environment to which a user should be constrained
To complete the steps to manage access to the service, you should be the owner of the App Configuration instance. In other words, your user ID needs administrator platform permissions to use the IAM service. You may have to contact or work with an account administrator.

Grant Reader access to App Configuration instance

To enable access to a specific environment in an instance, the user must at least have Reader level privileges to the particular App Configuration instance.

Navigate to IAM by following the Manage drop-down menu, and selecting Access (IAM). Follow the Users link in the navigation menu, and select the user requiring limited access.
Click on Access tab. Click on the Assign access button. Select the Access policy tile and select App Configuration.
Select the radio toggle next to Specific resources. Select Service Instance from the Attribute type drop-down menu. Select the App Configuration instance which you want to assign access.

Figure 1: Selecting App Configuration instance.
In the Roles and access section, select the role Reader. You'll also need the Platform Viewer role, if you don't already have it, in order to view the UI.

Figure 2: Selecting Roles for App Configuration instance.
Click Next and include conditions if needed which is optional.
Click Add.

Grant Manager access to specific Environment

We'll repeat the step 1, but this time we'll use Environment ID resource attribute and select Manager role.

Click on the Assign access button. Select the Access policy tile and select App Configuration.
Select the radio toggle next to Specific resources. Select Service Instance from the Attribute type drop-down menu. Select the App Configuration instance which you want to assign access.
Add another Attribute type by clicking on Add a condition button. Select Environment ID from the drop-down menu. Type in the ID of the environment that the user should be able to access in the Value field. In this case, it's a environment called dev.

Figure 3: Adding resource attribute.
In the Roles and access section, select the role Manager.

Figure 4: Selecting Roles for resource attribute.
Click Next and include conditions if needed which is optional.
Click Add.

Review access policies

At this stage, you should have two access policies created as shown below. One access policy with Reader & Viewer, another with Manager role.

Create a new policy — Figure 5: Review access policies created.

Verify that it works

When this App Configuration instance is accessed by shared user, Feature flags & Properties are editable under the Environment that is given Manager access and non-editable under different Environments.

When shared user tries to perform any action such as toggle a feature flag, update a feature flag on other environment using API/CLI/Terrform, the action is denied with 401 status code as shown below.

{
  "status_code": 401,
  "message": "unauthorized: Looks like you do not have access to requested resource or action is not permitted for the corresponding IAM role. If this is a shared resource, please check if access policies are rightly created.",
  "trace": "appconfig-txid-a560b9c5a4dfe218eafbde5419e1651f"
}

Next steps

Congratulations, you've just set up policies that limit access to a single environment.