Managing IAM access for InstructLab

Access to Red Hat AI InstructLab projects for users in your account is controlled by IBM Cloud® Identity and Access Management (IAM). Every user that accesses the Red Hat AI InstructLab service in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to Red Hat AI InstructLab.

The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific project that you select. The allowable actions are customized and defined by the Red Hat AI InstructLab as operations that are allowed to be performed on the service. Each action is mapped to an IAM platform or service role that you can assign to a user.

Make sure you also have the Viewer role for the resource groups you want to use.

IAM access policies enable access at different levels. Some options include the following:

Giving Reader or Writer access to a specific project.
Giving Reader or Writer access to a specific resource group where there could be many projects.
Giving Reader or Writer access to the entire account where there could be many resource groups with many projects.
Giving Viewer access to the InstructLab project(s) within a resource group and the account level.
Giving creation access to create InstructLab project(s) within a resource group and the account level.

If a specific role and its actions don't fit the use case that you're looking to address, you can create a custom role and pick the actions to include.

Review the following tables that outline what types of tasks each role allows for when you're working with the Red Hat AI InstructLab service. Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access to the service, create or delete projects, and bind projects to applications. Service access roles enable users access to Red Hat AI InstructLab and the ability to call the Red Hat AI InstructLab's API.

This is a high level view of what the platform roles allow users to do. Use a plain language description about what kind of tasks can be completed or the common jobs that users can expect to do when having each role assigned.

IAM roles and actions

IAM platform roles
Platform role	Description
Viewer	As a viewer, you can view projects, but you can't modify them.
Operator	As an operator, you can perform platform actions required to configure and operate projects, such as viewing a service's dashboard.
Editor	As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Administrator	As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service Configurator Reader	The ability to read services configuration for Governance management.
Key Manager	As an key manager, the service can perform platform actions required to manage resource keys, such as creating a new resource key.

IAM service access roles
Service role	Description
Reader	As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer	As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Manager	As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.

IAM actions
Actions and events	Description	Roles
`instructlab.dashboard.view`	View InstructLab dashboards.	Operator, Administrator, Editor
`instructlab.taxonomy.read`	Read details of a taxonomy.	Reader, Writer, Manager
`instructlab.taxonomy.create`	Create taxonomies	Writer, Manager
`instructlab.taxonomy.list`	List taxonomies.	Reader, Writer, Manager
`instructlab.taxonomy.delete`	Delete taxonomies.	Writer, Manager
`instructlab.sdgdata.read`	Read details of a data generation run.	Reader, Writer, Manager
`instructlab.sdgdata.list`	List data generation runs.	Reader, Writer, Manager
`instructlab.sdgdata.create`	Create a data generation run.	Writer, Manager
`instructlab.sdgdata.delete`	Delete a data generation run.	Writer, Manager
`instructlab.sdgdata.stop`	Stop a data generation run.	Writer, Manager
`instructlab.sdgdata.stop`	Stop a data generation run.	Writer, Manager
`instructlab.model.read`	Read details of a model training run.	Reader, Writer, Manager
`instructlab.model.list`	List model training runs.	Reader, Writer, Manager
`instructlab.model.create`	Create a model training run.	Writer, Manager
`instructlab.model.delete`	Delete a model training run.	Writer, Manager
`instructlab.model.stop`	Stop a model training run.	Writer, Manager

Give InstuctLab permission to create and update Object Storage artifacts

Give InstructLab the Writer access role for the Object Storage service. The logged-in user must also have the same permission.

Create the authorization policy for InstructLab and Object Storage.

ibmcloud iam authorization-policy-create Writer --source-service-name instructlab --target-service-name cloud-object-storage

If you already have Object Storage resources to use, you can scope the authorization to only those resources.

ibmcloud iam authorization-policy-create Writer --source-service-name instructlab --target-service-name cloud-object-storage --target-service-instance-id <cloud-object-storage-instance-id> --target-resource <cloud-object-storage-bucket> --target-resource-type bucket

Verify that the authorization policy was created.

ibmcloud iam authorization-policies

Result when authorization is not scoped to a specific Object Storage bucket:

Getting authorization policies under account abc1234 as user...
OK

ID:                        <id>
Source service name:       instructlab
Source service instance:   All instances
Target service name:       cloud-object-storage
Target service instance:   All instances
Roles:                     Writer

Result when authorization is scoped to a specific Object Storage bucket:

Getting authorization policies under account abc1234 as user...
OK

ID:                        <id>
Source service name:       instructlab
Source service instance:   All instances
Target service name:       cloud-object-storage
Target service instance:   bucket
Roles:                     Writer

Optional If you are using a private repository, create another service authorization for InstructLab and Secrets Manager

ibmcloud iam authorization-policy-create Writer --source-service-name instructlab --target-service-name secrets-manager

If necessary, give the Writer permission to the logged-in user. Include the Object Storage service instance ID from the previous step.
```
ibmcloud iam user-policy-create <user> --roles Writer --service-instance <cloud-object-storage-instance-id>
```

Assign user access to your resources

You can control which users (or groups of users) in your account access your InstructLab resources. Follow these steps to assign access in the console.

For more details on how you can assign access, such steps to use the CLI or different ways you can scope access to InstructLab or your Object Storage bucket, see Managing IAM access for Red Hat AI InstructLab on IBM Cloud.

There are two common ways to assign access:

Access policies per user.: You can manage access policies per user from the Manage > Access (IAM) > Users page in the console. For information about the steps to assign IAM access, see Managing access to resources in the console.
Access groups.: Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You manage access groups and their access from the Manage > Access (IAM) > Access groups page in the console. For more information, see Assigning access to a group in the console.

Assigning access to resources in the console

To assign access to an individual resource in the account or access to all resources in the account, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Manage > Access (IAM), and select Service IDs, depending on which identity you want to assign access.
Click the Actions icon > Assign access for the user or service ID that you want to assign access.
Select a group of services or a single service. Then, click Next.
Scope the access to the all resources in the account, or select specific resources based on attributes.
Click Next.
Select any combination of roles to assign, and click Review.
Click Add to add your policy configuration to your policy summary.
(Optional) Add users or service IDs to Access groups.
1. Select the access groups that you want the user or service ID to belong to.
2. Click Add
Click Assign.

If a user doesn't have a role on the resource group that contains the resources, they can see the resources, but can't access the resources by going to the Resource list page in the account to start working with them. Assign the Viewer role or higher on the resource group itself to ensure that a user can access the resource.

Increased policy limits for service IDs are available for select accounts. To take advantage of the increased policy limits, assign access to Event Streams or IBM Cloud Object Storage services. You must also scope the access policies to a specific service instance, resource type, and resource ID.

Assigning access within a resource group in the console

To assign access to all resources in a resource group or to just one service within a resource group, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
Click the user or service ID that you want to assign access, then click Access > Assign access.
Select a group of services or a single service. Then, click Next.
Scope the access to Specific resources. Select the Resource group attribute type and enter a resource group.
Click Next.
Select the access roles to manage the resource group. Then, click Next.
Select any combination of roles to assign, and click Review.
Click Add to add your policy configuration to your policy summary.
Click Assign.

Assigning access to manage a resource group

You can assign access to view or manage a resource group without assigning service access.

As an administrator, you might want to create an access group with the Viewer role on all resource groups. This way, when you assign access to service resources you don’t have to create additional policies for viewing resource groups. The Viewer role on a resource group is required for a user to create a service instance in that resource group.

To assign access to a resource group without assigning service access, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
Click the user or service ID that you want to assign access, then click Access > Assign access.
Select Resource group only.
Select Add a condition.
Select the Resource group attribute type and enter a resource group.
Click Next.
Select the access roles for viewing or managing the resource group. Then, click Review.
Click Add to add your policy configuration to your policy summary.
Click Assign.

You can repeat this type of policy as needed for each available resource group in the account to assign access to manage all resource groups in the account.

Assigning access to InstructLab by using the CLI

For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the CLI. The following example shows a command for assigning the Writer role for instructlab:

Use instructlab for the service name. To find the role IDs, run the ibmcloud iam roles command. Also, use quotations around role names that are more than one word. For example "Service Configuration Reader".

Example command to give a user the Viewer role for a specific InstructLab project in the account.

ibmcloud iam user-policy-create name@example.com --roles Viewer --service-name instructlab --attributes "projectId=1b111111-1ef1-11f1-1111-111bae11111a"

Example command to give a user the Key Manager role for a specific InstructLab project in the account.

ibmcloud iam user-policy-create name@email.com --roles "Key Manager" --service-name instructlab

Example command to give a user the Writer role for all InstructLab projects in the account.

ibmcloud iam user-policy-create USER@EXAMPLE.COM --service-name instructlab --roles Writer

Example command to assign the Administrator role for all instances of InstructLab service in the account.

ibmcloud iam user-policy-create name@example.com --roles Administrator --service-name instructlab

Example command to assign the Viewer role to all resource groups in the account.

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-type resource-group

Example command to assign the Viewer role to all users in a specific resource group.

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-type resource-group

Example command to get a resource group the Administrator role.

ibmcloud iam service-policy-create test --roles Administrator --resource-group-name sample-resource-group

Assigning user access to InstructLab by using the API

For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the API or the Create a policy API docs. Role cloud resource names (CRN) in the following table are used to assign access with the API.

Use instructlab for the service name, and refer to the Role CRN values table to ensure that you're using the correct value for the role. Review the following list of role CRNs.

IAM role CRNs
Role	CRN
Reader	`crn:v1:bluemix:public:iam::::serviceRole:Reader`
Writer	`crn:v1:bluemix:public:iam::::serviceRole:Writer`
Manager	`crn:v1:bluemix:public:iam::::serviceRole:Manager`
Viewer	`crn:v1:bluemix:public:iam::::role:Viewer`
Operator	`crn:v1:bluemix:public:iam::::role:Operator`
Editor	`crn:v1:bluemix:public:iam::::role:Editor`
Administrator	`crn:v1:bluemix:public:iam::::role:Administrator`
Service Configurator Reader	`crn:v1:bluemix:public:iam::::role:ConfigReader`
Key Manager	`crn:v1:bluemix:public:resource-controller::::role:KeyManager`

The following example assigns the Writer role for instructlab.

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Writer role for InstructLab",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Writer"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "instructlab"
        }
      ]
    }
  ]
}

Assigning access to resources by using the API

You can assign access to an individual resource in the account or access to a list of resources in the account by calling the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request. The sample request gives Administrator role access for an instance of a service:

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Administrator role for SERVICE_NAME's RESOURCE_NAME",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        },
        {
          "name": "resource",
          "value": "$RESOURCE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ]
}'

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
      .name("iam_id")
      .value("EXAMPLE_USER_ID")
      .build();

PolicySubject policySubjects = new PolicySubject.Builder()
      .addAttributes(subjectAttribute)
      .build();

PolicyRole policyRoles = new PolicyRole.Builder()
      .roleId("crn:v1:bluemix:public:iam::::role:Administrator")
      .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
      .name("accountId")
      .value(exampleAccountId)
      .operator("stringEquals")
      .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
      .name("serviceName")
      .value("service")
      .operator("stringEquals")
      .build();

PolicyResource policyResources = new PolicyResource.Builder()
      .addAttributes(accountIdResourceAttribute)
      .addAttributes(serviceNameResourceAttribute)
      .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
      .type("access")
      .subjects(Arrays.asList(policySubjects))
      .roles(Arrays.asList(policyRoles))
      .resources(Arrays.asList(policyResources))
      .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: 'exampleUserId',
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceName',
  value: 'service',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='example_user_id')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
  name='serviceName', value='service')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_name_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("exampleUserID"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr(exampleAccountID),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceName"),
  Value:    core.StringPtr("service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute}
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

You can assign access to a group of services. To assign access to All Identity and Access enabled services, specify serviceType for the name attribute, and use the value service. To assign access to All Account Management services, specify serviceType for the name attribute, and use the value platform_service. To assign access to the subset of account management services All IAM Account Management services, specify service_group_id for the name attribute, and use the value IAM.

The following sample request gives a service ID Reader role access to an instance of Object Storage. It scopes the access to a specific service instance, resource type, and resource ID:

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Reader role for SERVICE_NAME's RESOURCE_NAME",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "$SERVICE_ID"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "cloud-object-storage"
        },,
        {
          "name": "serviceInstance",
          "value": "$INSTANCE_ID",
          "operator": "stringEquals"
        }
        {
          "name": "resourceType",
          "value": "$RESOURCE_TYPE",
          "operator": "stringEquals"
        },
        {
          "name": "resource",
          "value": "$RESOURCE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ]
}'

Assigning access within a resource group by using the API

This action can be done only through the UI or CLI. To see the steps, switch to the UI or CLI instructions.