Required IAM permissions to run the IBM® Cloud Logs migration tool
The IBM® Cloud Logs migration tool requires that you have certain IBM Cloud® Identity and Access Management permissions to successfully migrate your IBM Log Analysis or IBM Cloud Activity Tracker instance configuration to IBM Cloud Logs.
| Service | Roles |
|---|---|
| IBM Cloud Activity Tracker | viewer, reader |
| IBM Cloud Activity Tracker Event Routing | administrator, writer |
| IBM Log Analysis | viewer, reader |
| IBM Cloud Logs | manager, administrator, sender |
| IBM Cloud Object Storage | writer [*], editor, service configuration reader, manager [**] |
| IBM Key Protect | viewer, reader |
| IBM Cloud Logs Routing | manager |
| Event Notifications | manager, Event Source Manager and Reader |
[*] IBM Cloud Object Storage buckets with IBM Key Protect configured keys must have the writer role (cloud-object-storage.bucket.list_crk_id) to read the key name.
[**] IBM Cloud Object Storage buckets with Activity tracker or Monitoring enabled must have the manager role (storage.bucket.put_activity_tracking,
cloud-object-storage.bucket.put_metrics_monitoring) to create the new buckets with the correct configuration.
You must have permissions in the resource groups where you plan to create resources with the Migration tool.
When you configure your Logging agent to send logs to IBM Cloud Logs, you will need credentials that include the sender role. For more information, see Setting up IAM permissions for ingestion.
If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.