Granting access to vaults

You can enable different levels of access to IBM Cloud® Hyper Protect Crypto Services resources in your IBM Cloud account by creating and modifying IBM Cloud Identity and Access Management (IAM)The process of controlling access of authorized users to data and applications, while helping companies comply with various regulatory requirements. access policies.

Access control in Unified Key Orchestrator is managed in vaults. Vaults are secure repositories for your key templates, cryptographic keys, and keystores. A key template, managed key or internal keystore can be created only in a vault.

As a Vault Administrator, you can create vaults and determine an access policy type for users, service IDs, and access groups based on your internal access control requirements.

Review roles and permissions to learn how IBM Cloud IAM roles map to Hyper Protect Crypto Services actions.

Step 1. Retrieve the vault ID

Retrieve the unique identifier that is associated with the vault that you want to grant someone access to.

Access the UI to browse the keys that are stored in your service instance by following these steps:

Log in to the Hyper Protect Crypto Services instance.
Click Vaults from the navigation to view all the available vaults.
Click the vault that you want to edit. The Details side panel is displayed.
In the General properties card, copy the vault ID by clicking the copy icon.

You can also use the Unified Key Orchestrator API to retrieve a list of your vaults, along with the metadata of the vaults.

Step 2. Grant access to vaults from the UI

To assign access to a vault for a user from the UI, complete the following steps:

From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
Select the user from the table, and click the Actions icon , and then select Assign access.
Click Access policy.
Under Service, select Hyper Protect Crypto Services and click Next.
Under Resources, select Specific resources.
Select Service Instance ID and enter the instance ID that is retreived.
Click Add a condition, select the Vault ID attribute to enter the vault ID that is retrieved in Step 1, and click Next
Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
(Optional) Under Conditions (optional), click Review to check the access policy.
After confirmation, click Add > Assign.

You can also create an access policy through IAM API or CLI.

What's next

To find out how to create a vault, check out Creating vaults.
To find out instructions on editing a vault, check out Editing vault details.
To find out how to delete a vault, check out Deleting vaults.