Configuring access for service bindings

Service bindings in Code Engine use a service ID to access IBM Cloud services. A service ID contains the credentials to communicate with a service instance on behalf of your Code Engine project. Before you can bind a service instance to a Code Engine workload, you must configure access for bindings that is based on whether you want Code Engine to automatically create and manage the service ID for you or whether you want to use a service ID that you manage.

Interested in configuring your project such that all users of the project can create and delete service bindings? With sufficient permissions, you can use the Project integrations pages in the console to configure service binding operations from a single page. If you don't have sufficient permissions to perform these actions, you can use this page to help you understand the required permissions. See Configuring project-wide settings.

Before you can bind your app, job, or function to a specific IBM Cloud service instance, determine whether you want to create and manage your own service ID, or if you want Code Engine to automatically create and manage the service ID for you. Based on your choice, assign the proper access policies. Code Engine uses one service ID per project to work with service bindings.

If you want Code Engine to automatically create and manage the service ID for you, then configure default service binding access policies. Ensure that proper access policies are assigned to the IBM Cloud account that is used with your Code Engine project.
- If your Code Engine project is in the same resource group as the service instance that you want to bind to, then you need to configure default service binding access policies.
- If your Code Engine project is in a different resource group from the service instance that you want to bind to, you'll need to configure default service binding access policies for Code Engine to automatically create and manage the service ID for service bindings, and you need to configure your project to bind services in a different resource group.
If you want more control over access policies, you can choose to use a custom service ID for service bindings that is configured in your service instance. In this case, assign access policies to the custom service ID. You'll need to configure your project to use the custom service ID.

Using the default service binding access policies

By default, Code Engine automatically creates a service ID for accessing all services in the resource group of the Code Engine project when your account that is used with your project has sufficient permissions. The service ID is created during the first service binding operation.

To use default service binding access policies when your Code Engine project is in the same resource group as the service instance that you want to bind to, configure access for Code Engine to automatically create and manage the service ID for service bindings.

Configuring access for Code Engine to automatically create and manage the service ID for service bindings

If your service instance is in the same resource group as your Code Engine project, and you want Code Engine to automatically create and manage the service ID for service binding for you, then the IBM Cloud account that is used with your Code Engine project must have Writer service access and Operator platform access, at minimum.

With these permissions set for your account, when you create a service binding, Code Engine checks and automatically sets up a service ID with Operator and Manager access for all services in the resource group of the Code Engine project. Code Engine uses this service ID to access IBM Cloud services with service bindings.

Whenever Code Engine creates the service ID that is used for service bindings for your project, this service ID is reused with subsequent service bindings within the same project, unless you run the project update CLI command to configure your project to bind services in a different resource group or you run the project update CLI command to use a custom service ID with access permissions for Code Engine service bindings.

For example, suppose you want Code Engine to automatically create and manage the service ID for service bindings for an IBM Cloudant service instance. Also, suppose that the my-user account that is used with your Code Engine project and the IBM Cloudant service instance are both in the same resource group.

The following steps describe one way to setup the required access permissions so that Code Engine can automatically create and manage the service ID for service bindings for my-user. The account owner for the service instance completes the following steps to assign permissions for my-user.

Create an IAM resource group for users who create Code Engine service bindings.
1. Launch Access (IAM) Overview.
2. Select Manage > Account > Resource Groups > Create resource group.
3. Create a resource group; for example, CodeEngine_servicebindings_resourcegroup.
Create the service instances that you want to bind to in the same resource group. For this example, create an IBM Cloudant service instance in the CodeEngine_servicebindings_resource group resource group.
Create an IAM access group for users who create Code Engine service bindings.
1. Launch Access (IAM) Overview.
2. Select Manage > Access(IAM) > Access groups.
3. Create a group; for example, CodeEngine_servicebindings_accessgroup.
4. From within this new access group, click the Access tab and assign the following two access policies to the access group. For the first access policy,
  - For Service, select All Identity and Access enabled services.
  - For Resources, select the specific resource group that you created in the previous step; for example, CodeEngine_servicebindings_resourcegroup.
  - For Resource group access, select Viewer.
  - For Roles and actions, select Platform access of Administrator.
  - Click Add to add the access policy to this access group.
5. Assign the second access policy for this access group.
  - For Service, select Code Engine.
  - For Resources, select the specific resource group that you created in the previous step; for example, CodeEngine_servicebindings_resourcegroup.
  - For Resource group access, select Viewer.
  - For Roles and actions, select Service access of Writer and Platform access of Operator.
  - Click Add to add the access policy to this access group.
6. Click Assign to assign the access policies to this access group.
Add the my-user user to this access group.

Now you are ready to create service bindings in Code Engine where Code Engine automatically creates a service ID with sufficient permissions to create service credentials to your specified service instances. See bind a service instance to an app, job, or function workload.

Configuring a project to bind services in a different resource group

However, if the IBM Cloud service instance that you want to bind to your Code Engine workload is in a different resource group than the resource group of the Code Engine project for your workload, and you want Code Engine to automatically create and manage the service ID for service binding for you, then you must complete the following actions before you create the service binding.

Configure access for Code Engine to automatically create and manage the service ID for service bindings.
Update the project to access service instances in other resource groups.

For example, if your Code Engine project is in the Default resource group, and you want to bind to a service instance that exists in the dev resource group, you must update the Code Engine project so that Code Engine can access services instances in other resource groups.

Update the project to access service instances in other resource groups

When the resources that you want to bind to are in a different resource group, configure your Code Engine project with the CLI so that it can access resources in the different resource group. Use the ibmcloud ce project update command and specify the --binding-resource-group option to configure a Code Engine project for service binding access for all service instances in a resource group. This command tells your Code Engine project which resource group that it can bind to. You can update your project to bind services to a different resource group only with the CLI.

The project update command works within the project that is selected as the current context. Before you use the project update command, confirm that you are in the desired project. Use the ibmcloud ce project current command to display details of the project that is currently targeted. If needed, use the ibmcloud ce project select command to select your project as the current context.

To configure service binding access for all service instances in the Default resource group,
```
ibmcloud ce project update --binding-resource-group Default
```
To configure service binding access for all service instances in a resource group, by specifying the ID of the resource group,
```
ibmcloud ce project update --binding-resource-group-id abcdabcdabcdabcdabcdabcdabcdabcd
```
To get a list of your resource groups, including the resource group IDs, run ibmcloud resource groups.
To configure service binding access for all service instances in all resource groups:
```
ibmcloud ce project update --binding-resource-group "*"
```

When you run the project update command, a service ID is created for the project, and is used to configure the current project for service bindings. If you do not have permission to create this service ID, then you receive an error that your project is not ready to work with service bindings. Talk to your account administrator about your access policies, or ask the administrator to configure access for Code Engine to automatically create and manage the service ID for service bindings.

Using a custom service ID for service bindings

If you want more control over access policies or resource groups, you can create a custom service ID for your service instance.

Your organization might choose to use a custom service ID for accessing a specific service instance if the account owner doesn't want to grant Administrator access for a user to the All Identity and Access enabled services within a resource group, which is required for Code Engine to automatically create and manage the service ID for service bindings. The account owner might want to scope the user access to a specific service type or service instance. In these cases, a custom service ID provides this control.

To use a custom service ID for service bindings,

Create a custom service ID with access permissions for Code Engine service bindings.
Configure your project to use the custom service ID.

Creating a custom service ID with access permissions for Code Engine service bindings

When you are using a custom service ID, you must give the custom service ID Operator platform access so that this service ID can create the service credentials for service bindings.

For example, suppose you want to create a service binding to bind a Code Engine workload to an IBM Cloudant service instance. Yet, you do not want to give the user Administrator access for all All Identity and Access enabled services within a resource group. However, you want to give the user access to a specific instance of IBM Cloudant.

The following steps describe one way to setup a custom service ID with the required access permissions so that Code Engine can create service bindings for my-user. The account owner for the service instance completes the following steps to create a custom service ID.

Create an IAM resource group for users who create Code Engine service bindings.
1. Launch Access (IAM) Overview.
2. Select Manage > Account > Resource Groups > Create resource group.
3. Create a resource group; for example, CodeEngine_servicebindings_resourcegroup.
Create the service instances that you want to bind to in the same resource group. For this example, create an IBM Cloudant service instance in the CodeEngine_servicebindings_resource group resource group.
Create an IAM access group for users who create Code Engine service bindings.
1. Launch Access (IAM) Overview.
2. Select Manage > Access(IAM) > Access groups.
3. Create a group; for example, CodeEngine_servicebindings_accessgroup.
4. From within this new access group, click the Access tab and assign the following access policy for the Code Engine service.
  - For Service, select Code Engine.
  - For Resources, select the specific resource group that you created in the previous step; for example, CodeEngine_servicebindings_resourcegroup.
  - For Resource group access, select Viewer.
  - For Roles and actions, select Service access of Writer and Platform access of Operator.
  - Click Add to add the access policy to this access group.
5. Click Assign to assign the access policies to this access group.
6. Create the service instances that you want to bind to in the same resource group. For this example, create an IBM Cloudant service instance in the CodeEngine_servicebindings_resource group resource group.
Add the my-user user to this access group.
Create a service ID for the service instance that you want to bind to.
1. Launch Access (IAM) Overview.
2. Select Manage > Access(IAM) > Service IDs.
3. Create a service ID; for example, CodeEngine_servicebindings_serviceid.
4. From within this new service ID, click the Assign group. From the Assign access page, select Access policy. Do not select Access groups. Assign the following access policy,
  - For Service, select the service instance that you want to bind to; for example, IBM Cloudant service instance.
  - For Resources, select the specific resource group that you created for users that can create service bindings to this service.
  - For Resource group access, select Viewer.
  - For Roles and actions, select Service access of Manager and Platform access of Operator.
  - Click Add to add the access policy to this service ID.
5. Click Assign to assign the access policies to this service ID.

Now that you have a custom service ID for service bindings, you must configure your Code Engine project to use the custom service ID.

Configuring a project to use a custom service ID

To configure a Code Engine project for service binding to use a custom service ID that you manage, use the ibmcloud ce project update CLI command and specify the --binding-service-id option. You can update your project to use a custom service ID only with the CLI.

Find the ID of your custom service ID by clicking Details on your service ID page from the console, or else run the ibmcloud iam service-ids CLI command.
Run the ibmcloud ce project update command. For example, if the ID of your service ID is ServiceId-12a3456b-c78d-901e-f2a3b4cabcde:
```
ibmcloud ce project update --binding-service-id ServiceId-12a3456b-c78d-901e-f2a3b4cabcde
```

Whenever you run the project update --binding-service-id command, Code Engine replaces any existing service ID and uses this service ID for service bindings.

Next steps

Now that access for service bindings is configured, you are ready to bind a service instance to an app, job, or function workload.