IBM Cloud Docs
Generating an API Key for ingestion

Generating an API Key for ingestion

When you are using a user account or a service ID, you must generate an API key to open a secure web socket to the ingestion endpoint to authenticate the Logging agent with the IBM Cloud Logs service.

When you are using a user account or service ID, an API key must be created to authenticate the agent. For authentication with trusted profiles, an API key is not required.

Generating an API Key for user authentication

A federated user or non-federated user can create an API key to use in the CLI or as part of automation to log in as your user identity.

The API key inherits all assigned access for the user identity for which it is created, and the access is not limited to just the account where the API key is created because it inherits any policies that are assigned to the user. Because the API key that is associated with your user identity has all of the access you're entitled to across any account that you are a member of, you must be cautious with how you use your API key. For more information, see Managing user API keys.

You can use the console, CLI, or API to manage your IBM Cloud API keys by listing your keys, creating keys, updating keys, or deleting keys.

For example, complete the following steps to generate an API key by using the CLI:

  1. Log in to your IBM Cloud account.

    After you log in with your user ID and password, the IBM Cloud dashboard opens.

  2. Create an API key for the logged-in account.

    Make sure to log in as the identity with the Sender role.

    export INGESTION_API_KEY=`ibmcloud iam api-key-create logs-ingestion --output json | jq -r '.apikey'`

Generating an API Key for service ID authentication

You can create a service ID to enable access to the IBM Cloud Logs service by the Logging agent. The agent can be hosted both inside and outside of IBM Cloud®.

API keys are used by the agent to authenticate as a particular service ID and are granted the access that is associated with that specific service ID. For more information, see Managing service ID API keys.

Make sure to grant the service ID the Sender role.

For example, complete the following steps to generate an API key for a service ID by using the CLI:

  1. Log in to your IBM Cloud account.

    After you log in with your user ID and password, the IBM Cloud dashboard opens.

  2. Create a service ID that is used for the IAM policies and API key credentials.

    Be sure to give the service ID a description that helps you retrieve the service ID later.

    ibmcloud iam service-id-create logs-svc-id --description "Service ID for IBM Cloud Logs"

  3. Add an IAM policy for your service ID that grants access to send logs.

    ibmcloud iam service-policy-create <SERVICE_ID> --service-name logs --roles Sender

  4. Create an API key for the service ID.

    Be sure to give the API key a description that helps you retrieve the key later. Save your API key in a secure location. You can't retrieve the API key again. If you want to export the output to a file on your local machine, include the --file <path>/<file_name> option.

    ibmcloud iam service-api-key-create logs-ingestion-key <SERVICE_ID> --description "API key for service ID <SERVICE_ID> with permissions to send logs to the IBM Cloud Logs service"