Creating a S2S authorization to work with the IBM® Event Streams for IBM Cloud® service
Use IBM Cloud® Identity and Access Management (IAM) to create an authorization that grants IBM Cloud Activity Tracker Event Routing access to the IBM® Event Streams for IBM Cloud® service.
Before you begin
-
Read about Managing authorizations to grant access between services.
-
You must have access to the target service to manage authorization between services. For more information, see Permissions to manage authorizations.
-
The autorization that you define for the IBM Cloud Activity Tracker Event Routing service requires that you have
Administrator
role for the IBM® Event Streams for IBM Cloud® target. -
Make sure that you define the authorization in the account where the bucket is located.
-
If you create an authorization between a service in another account and a target service in your current account, you need to have access only to the target resource. For the source account, you need only the account ID.
Service access roles
You must grant Writer
role to handle source integration with the IBM® Event Streams for IBM Cloud® service.
Creating an authorization through the console
Complete the following steps:
-
In the IBM Cloud console, click Manage > Access (IAM), and select Authorizations.
-
Click Create.
-
Select a source account.
If IBM Cloud Activity Tracker Event Routing and the IBM® Event Streams for IBM Cloud® instance are in the same account where you are defining the authorization, select This account.
If IBM Cloud Activity Tracker Event Routing and the IBM® Event Streams for IBM Cloud® instance are in different accounts, select Other account. Then, enter the account ID of the source account, that is, the account where IBM Cloud Activity Tracker Event Routing is to be configured to send data to the instance.
-
Select
Activity Tracker Event Routing
as the source service. Then, set the scope of the access to All resources. -
Select Event Streams as the target service. Then, set the scope of the access.
To grant access to all IBM® Event Streams for IBM Cloud® instances and resources in the account, select All resources.
To grant access to a specific instance, select single instance by configuring Resources based on selected attributes > Service Instance.
-
In the Service Access section, select the role to assign access to the source service that accesses the target service.
Select Writer to authorize streaming to IBM® Event Streams for IBM Cloud®.
-
Click Authorize.
If you create an authorization between a service in another account and a target service in your current account, you need to have access only to the target resource. For the source account, you need only the account number.
Creating an authorization by using the CLI
Run the following command to create an authorization for the IBM Cloud Activity Tracker Event Routing service.
ibmcloud iam authorization-policy-create atracker messagehub "Writer" [--target-service-instance-id TARGET_SERVICE_INSTANCE_ID]
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating an authorization cross accounts by using the CLI
Run the following command to create an authorization in the account where the target service is located when the IBM Cloud Activity Tracker Event Routing service and the target service are in different accounts:
ibmcloud iam authorization-policy-create atracker cloud-object-storage "Object Writer" [--target-service-instance-id TARGET_SERVICE_INSTANCE_ID] [--source-service-account SOURCE_SERVICE_ACCOUNT_GUID ]
Where you can set the following parameters to grant access to a single bucket:
TARGET_SERVICE_INSTANCE_NAME
: CRN of the IBM® Event Streams for IBM Cloud® instance.SOURCE_SERVICE_ACCOUNT_GUID
: Set the account GUID where IBM Cloud Activity Tracker Event Routing is configured to send data to the target service. Only use this option if the source service is from another account.
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating an authorization by using Terraform
Before you can create an authorization by using Terraform, make sure that you have completed the following:
- Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
- Create a Terraform configuration file that is named
main.tf
. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.
Use the following steps to create an authorization by using Terraform:
-
Create an authorization policy between services by using the
ibm_iam_authorization_policy
resource argument in yourmain.tf
file.The following example creates an authorization between 2 services:
resource "ibm_iam_authorization_policy" "policy" { source_service_name = "atracker" target_service_name = "messagehub" roles = ["Writer"] description = "Authorization Policy" transaction_id = "terraformAuthorizationPolicy" }
The following example creates an authorization between 2 specific service instances:
resource "ibm_iam_authorization_policy" "policy" { source_service_name = "atracker" source_resource_instance_id = ibm_resource_instance.instance1.guid target_service_name = "messagehub" target_resource_instance_id = ibm_resource_instance.instance2.guid roles = ["Writer"] }
The
ibm_iam_authorization_policy
resource requires the source service, target service, and role. The source service is granted access to the target service, and the role is the level of permission that the access allows. Optionally, you can add a description for the authorization and a transaction ID.-
You can provide a
target_resource_instance_id
to scope a IBM® Event Streams for IBM Cloud® target instance. -
For more examples, see the Terraform documentation for authorization resources.
-
-
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
terraform init
-
Provision the resources from the
main.tf
file. For more information, see Provisioning Infrastructure with Terraform.-
Run
terraform plan
to generate a Terraform execution plan to preview the proposed actions.terraform plan
-
Run
terraform apply
to create the resources that are defined in the plan.terraform apply
-
Creating an authorization by using the API
To authorize a source service access to a target service, use the IAM Policy Management API. See the following API example for create a policy method with the type=authorization
specified for a event-notifications
target.
The supported attributes for creating an authorization policy depend on what each service supports. For more information about the supported attributes for each service, see the documentation for the services that you're using.
curl --request POST \
--url https://iam.cloud.ibm.com/v1/policies \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '{
"type": "authorization",
"subjects": [
{
"attributes": [
{
"name": "accountId",
"value": "<account-id>"
},
{
"name": "serviceName",
"value": "atracker"
}
]
}
],
"roles": [
{
"role_id": "crn:v1:bluemix:public:iam::::serviceRole:Writer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "CUSTOMER_ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "messagehub"
},
{
"name": "serviceInstance",
"value": "IES_SERVICE_INSTANCE"
}
]
}
]
}'