Generating a Trusted Profile for ingestion

You can use a Trusted Profile (TP) to send logs from a compute resource in IBM Cloud to an IBM Cloud Logs instance by using the Logging agent.

Creating a Trusted Profile for ingestion

Complete the following steps to create a Trusted Profile:

In the IBM Cloud console, click Manage > Access (IAM) > Trusted profiles. Then, click Create profile.
Describe your profile by providing a name and a description. Then, click Continue.
Establish trust. Select the trusted profile entity type Compute resources.
Create a trust relationship.

Select a Compute service type.

In the Select compute resource section, click Specific resources> Add a resource. Then, choose your resource.
- For a Kubernetes compute service type, you must choose the Kubernetes cluster where you plan to deploy the agent; enter ibm-observe as the namespace; and enter logs-agent as the service account.
- For a Red Hat OpenShift on IBM Cloud compute service type, you must choose the OpenShift cluster where you plan to deploy the agent; enter ibm-observe as the namespace; and enter logs-agent as the service account.
- For a Virtual Server for VPC compute service type, you must choose an instance.
Then, click Continue.
Assign access. Select Access policy.

The role that is required for sending logs to IBM Cloud Logs is Sender. For more information, see Setting up IAM permissions for ingestion.

Make sure the user who grants the policy has the Sender role permissions.
- Select the service Cloud Logs. Then, click Next.
- In Resources, select Specific resources. Choose the IBM Cloud Logs instance where you plan to send the logs. Then, click Next.
- In the Roles and actions, select the service access Sender. Then, click Next.
- Click Add > Create.

For more information about the fields that are used to create conditions for trusted profiles, see IAM condition properties.