Granting access to keys
You can enable different levels of access to IBM® Key Protect resources in your IBM Cloud account by creating and modifying IBM Cloud IAM access policies.
Account admins should determine an access policy type for users, service IDs, and access groupsA set of users and service IDs organized into a group that is used as the subject of an access policy for assigning all group members the same access. based on internal access control requirements. These access controls can be assigned at multiple levels, from instances down to individual keys. For example, if you want to grant user access to Key Protect at the smallest scope available, you can assign access to a single key in an instance.
Granting access to all keys in an instance
Review roles and permissions to learn how IBM Cloud IAM roles map to Key Protect actions.
To grant access to keys within a Key Protect instance by using the IBM Cloud console:
-
From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
-
Select a table row, and click the ⋯ icon to open a list of options for that user.
-
From the options menu, click Assign access.
-
Click Assign access.
-
Choose whether you want to assign access to a group (by clicking Access group) or to an individual (by clicking Access policies). Your access groups can be found by clicking Access groups in the Manage access section of the left navigation.
-
From the list of services, select Key Protect and click Next to open the Resources section.
-
In the Resources section, use the radio buttons to select whether you assign access over all resources or only specific resources. If you select Specific resources you are asked to provide an Attribute type (for example, a Key ring ID, where the string equals the ID). The Add a condition box allows you add more attributes to the policy you create in the next step. When you are ready, click Next to create the policy. Note that you can click Edit if you want to go back to the list of services.
-
In the Roles and access section, you can assign access over the resources you have selected. For more information about the difference between Service access roles and Platform access roles, check out Platform roles and service roles. The box to the right of the selection options dynamically updates to provide a summary of the access that would be assigned if the selected options are kept. Review the provided list of access carefully. Note that a JSON version of the policy can be viewed (and copied) by clicking
JSON
in the tab marked[UI|JSON]
to the right of the Create policy header. -
When you are satisfied with your policy, click Add. This creates the selected policy over the selected resources. The Access summary column shows the created policy. If there is an error, you can Remove or Edit the access in this section.
Granting access to a single key in an instance
Calling the list keys API will not return keys that you have assigned individual access to (that only you can access, in other words, even if you have the access over those keys and you are the one making the call). Calling this API will, however, return the keys in key rings you have access to.
If you need to assign access beyond the instance level, you can choose to assign access to a particular key or to a key ring.
To create an access policy for a particular key, you need to:
Step 1. Retrieve the key ID
Retrieve the unique identifier that's associated with the key that you want to grant someone access to.
To get the ID for a specific key, you can:
-
Access the Key Protect GUI to browse the keys that are stored in your Key Protect instance.
-
Use the Key Protect API to retrieve a list of your keys, along with metadata about the keys.
Step 2. Create an access policy
You can create an access policy for a key by targeting the instance and the key by:
-
From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
-
Select a table row, and click the ⋯ icon to open a list of options for that user.
-
From the options menu, click Assign access.
-
Click Assign access to the users.
-
From the list of services, select Key Protect.
-
From the list of Key Protect instances, select the Key Protect instance that contains the key that you want to grant access to.
-
Select Resources based on selected attributes.
-
Click the Instance ID box and select the instance in which the key ring resides from the drop-down list.
-
Click the Resource type box and enter
key
. -
Click the Resource ID box enter the ID that was assigned to your key by the Key Protect service.
-
Choose a combination of platform and service access roles to assign access for the user.
-
Click Add.
-
Continue to add platform and service access roles as needed. When you are finished, click Assign.
Granting access to key rings in an instance
A key ring is a collection of keys located within your service instance, in which you can restrict access to via IAM access policy. For information on key rings, see Grouping keys.
You can grant access to key rings within a Key Protect instance by using the IBM Cloud console, IAM API, or IAM CLI.
Review roles and permissions to learn how IBM Cloud IAM roles map to Key Protect actions.
Granting access to key rings in an instance using the console
To assign access to a key ring via the console:
-
From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
-
Select a table row, and click the ⋯ icon to open a list of options for that user.
-
From the options menu, click Assign access.
-
Click Assign access to the users.
-
Click the IAM services tile.
-
From the list of services, select Key Protect.
-
Select Resources based on selected attributes.
-
Click the Instance ID box and select the instance in which the key ring resides from the drop-down list.
-
Click the Key Ring ID box and enter the name of the key ring. Note that the key ring ID is case sensitive and must be exact.
-
Choose the combination of platform and service access roles you want this user to have.
-
Click Add.
-
Continue to add platform and service access roles as needed and when you are finished, click Assign. Note that the user must be assigned at least Reader access to the entire instance in order for them to list, create and delete key rings within the instance.
Granting access for specific functions
In order to use the Key Protect Key Purge feature, a specific role called KeyPurge
must be granted as it is not enabled by default, even for the account owner.
Once you've followed the steps listed in the other sections of this topic for either granting access to this permission for all keys, or a specific key, choose the KeyPurge role as shown in the graphic.
Next Steps
You can also create an access policy via the Key Protect API or the Key Protect CLI plugin.