Granting IAM permissions for ingestion
You can send logs to an IBM Cloud Logs instance by using the Ingestion REST API, or by using the Logging agent.
To send logs by using the Ingestion REST API, you must get an IBM Cloud® Identity and Access Management (IAM) access token to authenticate your requests. Make sure the entity that you use to obtain the access token has the Sender role for the IBM Cloud Logs service.
To send logs to an IBM Cloud Logs instance, you can use as the authentication method any of the following options:
- An IAM API key: The API key is used to open a secure web socket to the IBM Cloud Logs ingestion endpoint to authenticate the Logging agent with the IBM Cloud Logs service.
- A Trusted profile
You must grant Sender permissions to the API key or trusted profile that you use to request authorization to send logs to an IBM Cloud Logs instance by using the Logging agent.
Choose one of the following options to send logs to an IBM Cloud Logs instance by using the Logging agent:
| Environment | Service ID API Key | Trusted Profile |
|---|---|---|
| Kubernetes cluster in IBM Cloud | Supported | Supported |
| OpenShift cluster in IBM Cloud | Supported | Supported |
| Virtual Server for VPC in IBM Cloud | Supported | Supported |
| Kubernetes cluster on-prem or in other clouds | Supported | Not supported |
| OpenShift cluster on-prem or in other clouds | Supported | Not supported |
| Linux server on-prem or in other clouds | Supported | Not supported |
You can only use Trusted Profiles to authenticate IBM Cloud resources with an IBM Cloud Logs instance when the compute resource and the instance are located in the same account.
To send logs from a Kubernetes cluster that is provisioned in a different IBM Cloud account than the IBM Cloud Logs instance, you can only use a service ID API key as the agent's authorization method.
It is not recommended the use of user ID API keys for the Logging agent configuration.
Setting up permissions for ingestion
To send logs directly to the IBM Cloud Logs instance, the API key or trusted profile must have the Sender role for the IBM Cloud Logs service.
Use the appropriate command for the type of identity:
| Type of identity | Command |
|---|---|
| Service ID | ibmcloud iam service-policy-create <serviceID> --roles Sender --service-name logs |
| Trusted profile | ibmcloud iam tp-policy-create <trustedProfile> --roles Sender --service-name logs |
Generating IAM API keys
Consider the following information when using IAM API Keys:
- You must grant the
Senderpermission to the service ID. - You must generate a new service ID API key after the
Senderpermission to send logs is granted to the service ID. - When you use an API key as the authorization method of the Logging agent, the Logging agent can be hosted both inside and outside of IBM Cloud®.
For more information on how to generate an API key, see Generating an API Key for ingestion by using a service ID for authentication.
Creating Trusted Profiles
Consider the following information when using Trusted Profiles:
- You can only use Trusted Profiles to authenticate IBM Cloud resources with an IBM Cloud Logs instance.
- The Trusted Profile, the compute resource, and the IBM Cloud Logs instance must be located in the same account.
- You must grant the
Senderpermission to a trusted profile before using it.
For more information on how to create the Trusted Profile, see Generating a Trusted Profile for ingestion.