Configuring project-wide settings

What access permissions are required to configure service binding operations?

The user of this Integrations page must have the following Cloud Identity and Access Management (IAM) access policies that are assigned to your user account to successfully configure service binding operations. If you don't have sufficient permissions to perform these actions, you can use this page to help you understand the required permissions.

• Service: All Identity and Access enabled services
  • Resources: Select from resource group, region, or access management tags.
  • Resource group access: Viewer
  • Roles and actions: Administrator platform access (no service access required)
• Service: Code Engine
  • Resources: The resource group of this Code Engine project
  • Resource group access: Viewer
  • Roles and actions: Writer service access and Operator platform access

For Code Engine to automatically generate a service ID for service binding operations, Code Engine checks and automatically sets up a service ID with Operator platform access and Manager service access for all services in the resource group of the Code Engine project. Code Engine uses this service ID to access IBM Cloud services with service bindings.

If you use your own custom service ID, the custom service ID must provide Operator platform access and Manager service access for any IBM Cloud services or service instances that you want to bind to Code Engine apps or jobs.

If this service ID does not exist, Code Engine tries to automatically create this service ID whenever a service binding is created. The successful creation of this service ID for service binding operations depends on whether the user that is logged in to Code Engine has sufficient permissions. If the operator secret is not created successfully, any attempt to create a service binding fails. For more information about Code Engine access requirements for service binding operations, see Configuring access for service bindings.

What's the relationship between the service ID and the operator secret?

When you configure service binding operations, you can view details about what Code Engine does for you, including information about the service ID, API key, and secret.

In Code Engine, a service binding is the relationship between an app or job and another IBM Cloud service.

Code Engine uses a service ID to perform binding operations on behalf of the user, instead of using the identity of the user that is logged in. The service ID creates credentials for a specific IBM Cloud service instance. These service credentials are used by your bound Code Engine apps and jobs to interact with the service instances. The API key for the service ID is stored in the operator secret. The access policies are the permissions that are given to the service ID.

The operator secret or ibmcloud-operator-secret is a Code Engine generated and managed secret that includes the service ID and an autogenerated API key for it. This secret is used with service binding operations and does not act as the current user's account. If the operator secret doesn't exist, it is automatically created when any one of the following scenarios is true.

• When the next service binding is created for the project (from the console or CLI).
• When you configure service binding operations from the Integrations page.
• When you run the project update command.

When service binding operations are configured, the service ID and operator secret apply to your specific project.

You can configure service binding operations and let Code Engine automatically generate the service ID or you can configure service bindings with your own custom service ID.

Configuring service bindings operations with a Code Engine autogenerated service ID

You can configure service binding operations so that all users in the project can create and manage service bindings to IBM Cloud services in the selected resource group from the Code Engine console.

1. Go to the Integrations page.
   1. Select your project from the Projects page in the Code Engine console.
   2. Click Project settings > Integrations.
2. Click Configure in the Service bindings tile to configure service binding operations for all users of this project.
3. From the "Configure service binding operations" page, specify the resource group that you want to use for service binding operations. You can choose an IBM Cloud® resource group that contains the Code Engine project and let Code Engine create the necessary credentials. Or, you can choose to use a custom service ID that uses your service ID credentials.
4. (optional) Expand the What Code Engine does for you section to view information about what Code Engine automatically creates for you when you configure service binding operations. View information about the service ID and the access policies that are assigned to this service ID, the API key that Code Engine automatically generates for the service ID, and the operator secret that is used for service bindings.
5. Click Configure.
6. (optional) Click View details to view details of the service binding operations configuration. From this page, you can view information about the service ID, API key, and operator secret that is used for service binding operations.

Now that you configured service binding operations for the specified resource group, every user with writer or manager access to this Code Engine project can create and delete service bindings. See Working with service bindings to integrate IBM Cloud services with Code Engine.

When you configure service binding operations with a Code Engine autogenerated (and managed) service ID, do not manually update or remove the service ID or API key that is created as part of the configuration of service binding operations. Also, do not attempt to rotate the API key that is associated with the service ID. Instead, go to the Project settings > Integrations page in the console, and remove the configuration for service binding operations for your project, and then configure service binding operations again. This action deletes the old service ID and API key, and creates a new service ID and API key for service binding operations.

Configuring service binding operations with a custom service ID

You can configure service binding operations such that all users in the project can create and manage service bindings with a custom service ID to IBM Cloud services from the Code Engine console.

When you use a custom service ID, the assigned IAM policies for the service ID determine the resource groups.

1. Go to the Integrations page.
   1. Select your project from the Projects page in the Code Engine console.
   2. Click Project settings > Integrations.
2. Click Configure in the Service bindings tile to configure service binding operations for all users of this project with your custom service ID.
3. From the "Configure service binding operations" page, select Use a custom service ID.
4. Choose the custom service ID that you want to use.
5. (optional) Expand the What Code Engine does for you section to view information about what Code Engine automatically creates for you when you configure service binding operations. View information about the API key that Code Engine automatically generates for the service ID and the operator secret that is used for service binding operations.
6. Click Configure. After service binding operations are configured, the custom service ID for service binding operations is displayed.
7. (optional) Click View details to view details of the service binding operations configuration. From this page, you can view information about the service ID, API key, and operator secret that is used for service binding operations.

Now that you configured service binding operations with a custom service ID with required IAM permissions, every user with writer or manager access to this Code Engine project can create and delete service bindings. See Working with service bindings to integrate IBM Cloud services with Code Engine.

Removing configured service binding operations

If service binding operations are configured, you can also use the Integrations page to remove the ability for all users of the project to create or delete service bindings. This action removes the operator secret for service binding operations.

1. Go to the Integrations page.
   1. Select your project from the Projects page in the Code Engine console.
   2. Click Project settings > Integrations.
2. If the status of Service binding operations is Configured, click Remove configuration to remove the operator secret. You are asked to confirm that you want to delete the operator secret.

When you receive a message that service binding operations are removed, the status for service binding operations is Not configured.

If you remove configured service binding operations from the Integrations page, any existing service bindings remain. This means that for existing service bindings, when you run applications, run new application revisions, or run jobs, the bound app or job uses the existing service bindings and their credentials. However, new service bindings cannot be created without sufficient permissions, and existing bindings cannot be deleted.

If the operator secret doesn't exist, it is automatically created when any one of the following scenarios is true.

• When the next service binding is created for the project (from the console or CLI).
• When you configure service binding operations from the Integrations page.
• When you run the project update command.

What access permissions are required for Code Engine managed access to IBM Cloud Container Registry?

The user of this Integrations page must have the following IBM Cloud® Identity and Access Management (IAM) access policies that are assigned to your user account to successfully configure registry access for all users of the project. If you don't have sufficient permissions to perform these actions, you can use this page to help you understand the required permissions and actions you can take.

• Service: Container Registry
  • Resources: Select from resource group, region, or access management tags.
  • Resource group access: Viewer
  • Roles and actions: Administrator platform access and Reader, Writer, and Manager service access
• Service: Code Engine
  • Resources: The resource group of this Code Engine project
  • Resource group access: Viewer
  • Roles and actions: Operator platform access and Writer service access

For Code Engine to automatically generate a service ID for accessing images in Container Registry in a specific location, Code Engine sets up this service ID with the Administrator role for the IAM Identity service that is scoped to this service ID. Additionally, Code Engine grants the Manager role for the IBM Cloud Container Registry service that is scoped to the specified location (region). These roles and permissions are required so that Code Engine can use this service ID to access Container Registry on behalf of the user of the respective Code Engine project.

When Code Engine configures this service ID with the Administrator platform access and Manager service access to IBM Cloud Container Registry, the access is scoped to only this service ID.

For more information about Code Engine requirements for accessing images in a container registry, see Accessing container registries.

What's the relationship between the service ID and the registry secret?

When you configure default registry access for a specific location, you can view details about what Code Engine does for you, including information about the service ID and its access policies, API key, and registry secret.

Code Engine uses a service ID to enable registry access to Container Registry, on behalf of the user, instead of using the identity of the user that is logged in.

The registry secret is a Code Engine generated and managed registry secret that includes an autogenerated API key for it. This secret is used for accessing images in Container Registry.

When default registry access is configured for a location (region), the service ID and registry secret apply to your specific project.

Configuring Container Registry access

You can configure registry access such that all users in the project can access and work with images in IBM Cloud Container Registry from the Code Engine console.

1. Go to the Integrations page.
   1. Select your project from the Projects page in the Code Engine console.
   2. Click Project settings > Integrations.
2. In the Container Registry tile, click the row for the location that you want to configure registry access.
3. From the "Configure default registry access" page, you can optionally expand the What Code Engine does for you section to view information about what Code Engine automatically creates for you when you configure default registry access to a specific location. View information about the service ID and the access policies that are assigned to this service ID, the API key that Code Engine automatically generates for the service ID, and the registry secret that is used for this registry access.
4. Click Configure to configure the default registry access for a specific location.
5. From the table, you can view configuration status by location and the autogenerated registry secret.
6. (optional) For more details, click the Actions icon > View details. You can view information about the service ID and the access policies that are assigned to this service ID, the API key that Code Engine automatically generates for the service ID, and the registry secret that is configured for accessing Container Registry.

Now that you configured default registry access for a specific location to Container Registry, every user with writer or manager access to this Code Engine project can use this registry secret with their apps, jobs, and builds to access images in Container Registry.

When you configure project-wide Container Registry access from the Integrations page, Code Engine automatically generates a service ID to enable registry access to Container Registry.

When you are working with a Code Engine autogenerated (and managed) registry secret, do not manually delete the registry secret. Also, do not manually remove the service ID or its associated API key for the configured Container Registry region. Do not attempt to rotate the API key that is associated with this service ID. Instead, go to the Project settings > Integrations page in the console, and remove the configuration for the desired Container Registry access for your project, and then configure registry access again. This action deletes the old service ID and API key, and creates a new service ID and API key for registry access for the project in the desired region.

Removing Code Engine managed access to Container Registry

When you remove a Code Engine managed registry secret for a particular region, this project-wide registry access is deleted. The associated service ID, API key, and registry secret are deleted. You can continue to use manually created registry access secrets, or you can configure project-wide Container Registry access again.

1. Go to the Integrations page.
   1. Select your project from the Projects page in the Code Engine console.
   2. Click Project settings > Integrations.
2. From the row of the location (region) that you want to remove the registry access, click the Actions icon > Remove configuration. You are asked to confirm that you want to delete the registry access.

When you receive a message that registry access is removed, the status for registry access for a particular Container Registry location is Not configured.