Creating a S2S authorization to grant IBM Cloud Logs access to a bucket located in the same account

Use IBM Cloud® Identity and Access Management (IAM) to create an authorization that grants IBM Cloud Logs access to an IBM Cloud Object Storage bucket when the IBM Cloud Logs instance and the IBM Cloud Object Storage bucket are located in the same account.

Before you begin

You must have the following permissions in the account to configure service to service authorizations in IAM:
- Administrator and Writer roles for the IBM Cloud Object Storage service.
- IAM permissions to create a service to service authorization.
Read about Managing authorizations to grant access between services.
Review the Permissions to manage authorizations.
To configure the autorization between the IBM Cloud Logs service and the IBM Cloud Object Storage service requires that you have Administrator role for the IBM Cloud Object Storage service.
When you define the service to service authorization, you must grant the Writer role to IBM Cloud Logs to be able to send data to the bucket.

Creating an authorization through the console

Complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Authorizations.
Click Create.
Select This account as the source account.
Select Cloud Logs as the source service. Then, set the scope of the access.

Select All resources to grant access for all instances in the account.

Select Source service instance to grant access to a single IBM Cloud Logs instance.
Select Cloud Object Storage as the target service. Then, set the scope of the access.

To grant access to all instances and resources in the account, select All resources.

To grant access to a specific instance, select single instance by configuring Resources based on selected attributes > Service Instance.

To grant access to a single bucket, select single instance by configuring Resources based on selected attributes > Service Instance. Then, set Resource ID with the name of the bucket, and Resource type to bucket.
In the Service Access section, select Writer to assign access to the source service that accesses the target service.
Click Authorize.

If you create an authorization between a service in another account and a target service in your current account, you need to have access only to the target resource. For the source account, you need only the account number.

Creating an authorization by using the CLI

Run the following command to create an authorization for the IBM Cloud Logs service.

ibmcloud iam authorization-policy-create logs cloud-object-storage "Writer" [--source-service-instance-name SOURCE_SERVICE_INSTANCE_NAME | --source-service-instance-id SOURCE_SERVICE_INSTANCE_ID] [--target-service-instance-name TARGET_SERVICE_INSTANCE_NAME | --target-service-instance-id TARGET_SERVICE_INSTANCE_ID] [--target-resource-type RESOURCE_TYPE] [--target-resource RESOURCE]

Where you can set the following parameters to grant access to a single bucket:

TARGET_SERVICE_INSTANCE_NAME: CRN of the IBM Cloud Object Storage instance.
RESOURCE_TYPE: Must be set to bucket.
RESOURCE: CRN of the bucket

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Creating an authorization by using Terraform

Before you can create an authorization by using Terraform, make sure that you have completed the following:

Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Use the following steps to create an authorization by using Terraform:

Create an authorization policy between services by using the ibm_iam_authorization_policy resource argument in your main.tf file.

The following example creates an authorization between 2 services:
```
resource "ibm_iam_authorization_policy" "policy" {
 source_service_name = "logs"
 target_service_name = "cloud-object-storage"
 roles               = ["Writer"]
 description         = "Authorization Policy"
 transaction_id     = "terraformAuthorizationPolicy"
}
```
The following example creates an authorization between 2 specific service instances:
```
resource "ibm_iam_authorization_policy" "policy" {
  source_service_name         = "logs"
  source_resource_instance_id = ibm_resource_instance.instance1.guid
  target_service_name         = "cloud-object-storage"
  target_resource_instance_id = ibm_resource_instance.instance2.guid
  roles                       = ["Writer"]
}
```
The ibm_iam_authorization_policy resource requires the source service, target service, and role. The source service is granted access to the target service, and the role is the level of permission that the access allows. Optionally, you can add a description for the authorization and a transaction ID.
- You can provide a target_resource_instance_id to scope an IBM Cloud Object Storage target instance.
- For more examples, see the Terraform documentation for authorization resources.
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

Creating an authorization by using the API

To authorize a source service access to a target service, use the IAM Policy Management API. See the following API example for create a policy method with the type=authorization specified for a cloud-object-storage bucket as the target.

The supported attributes for creating an authorization policy depend on what each service supports.

curl --request POST \
  --url https://iam.cloud.ibm.com/v1/policies \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "type": "authorization",
    "subjects": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "<account-id>"
                },
                {
                    "name": "serviceName",
                    "value": "logs"
                }
            ]
        }
    ],
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:cloud-object-storage::::serviceRole:Writer"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "serviceName",
                    "value": "cloud-object-storage"
                },
                {
                    "name": "serviceInstance",
                    "value": "$COS_INSTANCE_CRN",
                    "operator": "stringEquals"
                },
                {
                    "name": "resourceType",
                    "value": "bucket",
                    "operator": "stringEquals"
                },
                {
                    "name": "resource",
                    "value": "$BUCKET_CRN",
                    "operator": "stringEquals"
                }
            ]
        }
    ]
}'