IBM Cloud Docs
Working with trusted profiles in Code Engine to access IBM Cloud services

Working with trusted profiles in Code Engine to access IBM Cloud services

You can configure your Code Engine components (applications, jobs, or functions) to use IAM trusted profiles to authorize Code Engine components and access IBM Cloud® services without managing separate credentials. Trusted profiles do not require storing and managing secret credentials. No maintenance or credential rotation are needed.

Before you enable an application, job, or function to access IBM Cloud services to use a trusted profile, you require an IBM Cloud® Identity and Access Management (IAM) trusted profile. Create a trusted profile in IAM that trusts your Code Engine component as a compute resource and grant access to the target service. See IAM documentation to create your trusted profile.

The Code Engine application, job, or function then needs access to a compute resource token so that it can identify itself and authenticate as an Code Engine component for IAM. This token authenticates the services to which the Code Engine component is allowed to communicate. Trusted profiles control the specific services with which the Code Engine component can communicate.

You can enable Code Engine to provide this token to the application, job, or function, to provide full trusted profile support in Code Engine, by using the Code Engine console or the CLI.

Configuring Code Engine to support trusted profiles by using the console

The following steps describe locating an existing Code Engine application, job, or function and then enabling trusted profiles support. When you create a new application, job, or function, you can enable trusted profiles during the creation, by using the Optional settings > Service access section.

Configuring a Code Engine application to use trusted profiles

  1. Select your project from the Projects page in the Code Engine console.
  2. Click the name of your project to open the Overview page.
  3. Click Applications to open a list of your applications. Click the name of your application to open its application page.
  4. Click Service access > Trusted profiles.
  5. Set the Enable trusted profiles option to Enabled. When you enable this application for trusted profiles, Code Engine provides a token that the application's code can use to match trusted profiles by project or by application name.
  6. Enable your application code to authenticate trusted profiles.

Configuring a Code Engine job to use trusted profiles

  1. Select your project from the Projects page in the Code Engine console.
  2. Click the name of your project to open the Overview page.
  3. Click Jobs to open a list of your jobs. Click the name of your job to open its job page.
  4. Click Service access > Trusted profiles.
  5. Set the Enable trusted profiles option to Enabled. When you enable this job for trusted profiles, Code Engine provides a token that the job's code can use to match trusted profiles by project or by job name.
  6. Enable your job code to authenticate trusted profiles.

Configuring a Code Engine function to use trusted profiles

  1. Select your project from the Projects page in the Code Engine console.
  2. Click the name of your project to open the Overview page.
  3. Click Functions to open a list of your functions. Click the name of your function to open its function page.
  4. Click Service access > Trusted profiles.
  5. Set the Enable trusted profiles option to Enabled. When you enable this function for trusted profiles, Code Engine provides a token that the function's code can use to match trusted profiles by project or by function name.
  6. Enable your function code to authenticate trusted profiles.

Configuring Code Engine to support trusted profiles by using the CLI

Configuring a Code Engine application to use trusted profiles

  1. Select your Code Engine project. For example:

    ibmcloud ce project select --name myproject

  2. Enable trusted profile support:

    • By default, when you create a new Code Engine application, trusted profile support is not enabled. To enable trusted profiles support when you create a new application, use the trusted-profiles-enabled=true setting. For example:

      ibmcloud ce app create --name myapp --image icr.io/codeengine/hello --trusted-profiles-enabled=true

    • If you have an existing application and want to enable trusted profile support for it, update it with the trusted-profiles-enabled=true setting. For example:

      ibmcloud ce app update --name myapp --trusted-profiles-enabled=true

      If required, you can later disable trusted profiles support by updating the application with the trusted-profiles-enabled=false setting.

  3. Enable your application code to authenticate trusted profiles.

Configuring a Code Engine job to use trusted profiles

  1. Select your Code Engine project. For example:

    ibmcloud ce project select --name myproject

  2. Enable trusted profile support:

    • By default, when you create a new Code Engine job, trusted profile support is not enabled. To enable trusted profiles support when you create a new job, use the trusted-profiles-enabled=true setting. For example:

      ibmcloud ce job create --name myjob --image icr.io/codeengine/helloworld --trusted-profiles-enabled=true

    • If you have an existing job and want to enable trusted profile support for it, update it with the trusted-profiles-enabled=true setting. For example:

      ibmcloud ce job update --name myjob --trusted-profiles-enabled=true

      If required, you can later disable trusted profiles support by updating the job with the trusted-profiles-enabled=false setting.

  3. Enable your job code to authenticate trusted profiles.

Configuring a Code Engine function to use trusted profiles

  1. Select your Code Engine project. For example:

    ibmcloud ce project select --name myproject

  2. Enable trusted profile support:

    • By default, when you create a new Code Engine function, trusted profile support is not enabled. To enable trusted profiles support when you create a new function, use the trusted-profiles-enabled=true setting. For example:

      ibmcloud ce fn create --name myhellofun --inline-code main.js --runtime nodejs --trusted-profiles-enabled=true

    • If you have an existing function and want to enable trusted profile support for it, update it with the trusted-profiles-enabled=true setting. For example:

      ibmcloud ce fn update --name myhellofun --trusted-profiles-enabled=true

      If required, you can later disable trusted profiles support by updating the function with the trusted-profiles-enabled=false setting.

  3. Enable your function code to authenticate trusted profiles.