Verifying your API key has correct permissions to send logs to IBM Cloud Logs

When sending logs to IBM® Cloud Logs, your API key must have the correct permissions. You can check whether your API key has the correct permissions by following a few steps.

If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

1. Create a Service ID with sender permission to IBM Cloud Logs.

2. Create an API key for this service ID.

3. Log in to IBM Cloud using the API key.

   ibmcloud login --apikey <API_KEY_VALUE>
   

4. Generate a bearer token.

   export IAM_TOKEN=`ibmcloud iam oauth-tokens --output json | jq -r '.iam_token'`
   

5. Send a test log using the API. Make sure you use the ingress endpoint for your IBM Cloud Logs instance.

   curl -v --location "https://<InstanceID>.ingress.<Region>.logs.cloud.ibm.com/logs/v1/singles" --header "Content-Type: application/json" --header "Authorization: $IAM_TOKEN" --data '[{
      "applicationName": "myapp",
      "subsystemName": "mysubsystem",
      "text": {"key":"value"}
    }]'
   

6. Access your IBM Cloud Logs instance.

7. Verify that you can see the sample log line you sent in the IBM Cloud Logs UI.

If the sample log line is displayed, then the API key has the correct permissions. If the log line is not displayed, then the Service ID and associated API key does not have the correct permissions.