Setting and editing network access policies
After you set up your IBM® Key Protect service instance, you manage network access policies by using the service API.
Managing network access policy settings
For the best results now available, use context-based restrictions (CBR) instead of an allowed IP policy to define and enforce access policies for IBM Cloud resources based on the network location of access requests.
A network access policy for Key Protect instances is an extra policy that customers can use to block a Key Protect instance from getting API requests from public or private networks.
The network access policy applies to newly provisioned and existing instances. For existing instances the network access policy is enforced after it is set.
The network access policy capability is available only through the Key Protect API. To find out more about accessing the Key Protect APIs, check out Setting up the API.
Understanding network access policies
Two options control network access to Key Protect instances:
- Public and private network access - this is the default
- Private network access only
Public and private network access
The Key Protect instance accepts API requests from both public and private endpoints.
Public and private network access is the default setting and is used if a policy is not set.
For example, multiple teams are testing a solution that uses Key Protect instances. Development and test teams issue API requests from both outside (public endpoints) and inside (private endpoints) the IBM Cloud. You allow public and private API requests to ensure each team has access to Key Protect instances during this phase of the project.
Private network access only
The Key Protect instance accepts API requests from only private endpoints.
To connect to Key Protect by using a private network connection, you must use the Key Protect API or the Key Protect CLI plug-in. This capability is not available from the Key Protect GUI.
For example, development and testing is complete and the solution that uses Key Protect instances is in production. You want to limit API requests to private networks for security reasons. All Key Protect API requests must originate from within the IBM Cloud.
In the Regions and endpoints section there is a section that explains how to
enable private endpoints.
After the network access policy is set to private-only you cannot make any Key Protect API calls from the public network, including the API to change the policy. Make sure the private environment is set up before setting the
network access policy to
private-only. See
using private endpoints.
Delete or deprovision a Key Protect instance
The network access policy is not enforced when a Key Protect instance is deleted or deprovisioned.
The instance access policy, which controls access to the instance from either public or private IP addresses, is not enforced when the following command to delete the instance is issued.
$ ibmcloud resource service-instance-delete (NAME | ID)
Enabling network access to your Key Protect instance with the console
If you prefer to enable a dual authorization policy on your instance by using a graphical interface, you can use the IBM Cloud console.
After the network access policy is set to private-only the UI cannot be used for any Key Protect actions.
Keys in a private-only instance will not be shown in the UI and any Key Protect actions in the UI will return an unauthorized error (HTTP status code 401).
After creating a Key Protect instance, complete the following steps to create a network access policy:
-
Go to Menu > Resource List to view a list of your resources.
-
From your IBM Cloud resource list, select your provisioned instance of Key Protect.
-
Click the Instance policies link on the left side of the page.
-
Find the
Network access allowedpanel (on the top-right side of the page). -
Change the policy by selecting either
Public and private (default)orPrivate onlyfrom the dropdown. -
Click
SaveorCancel(whichever is appropriate).
-
Enabling network access to your Key Protect instance with the API
As an admin, enable a network access policy for a Key Protect instance by making a
PUT call to the following endpoint. See these API references to
set and
list instance policies.
https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork
-
Retrieve your authentication credentials to work with the API.
To change a network access policy, you must be assigned a Manager access policy for your Key Protect instance. To learn how IAM (identity and access management) roles map to Key Protect service actions, check out Service access roles.
-
Enable a network access policy for your Key Protect instance by running the following
curlcommand.$ curl -X PUT \ "https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" \ -H "accept: application/vnd.ibm.kms.policy+json" \ -H "authorization: Bearer <IAM_token>" \ -H "bluemix-instance: <instance_ID>" \ -H "content-type: application/vnd.ibm.kms.policy+json" \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "allowedNetwork", "policy_data": { "enabled": <enabled>, "attributes": { "allowed_network": "<access_type>" } } } ] }'
Replace the variables in the example request according to the following table.
| Variable | Description |
|---|---|
| region | Required. The region abbreviation, such as us-south or eu-gb, that represents the geographic area where your Key Protect instance resides.For more information, see Regional service endpoints. |
| IAM_token | Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request. For more information, see Retrieving an access token. |
| instance_ID | Required. The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving an instance ID. |
| enabled | Required. Set to true to enable a network access policy. Set to false to remove the network access policy, that is, the policy is not enforced. |
| access_type | Required. The network access policy to apply to your Key Protect instance. Acceptable values are public-and-private or private-only. |
A successful request returns an HTTP 204 No Content response, which indicates that your Key Protect instance now enforces a network access policy. API requests to the service are restricted to the policy you set.
This policy applies to Key Protect instances only. The network access policy does not apply to specific keys.
Optional: Verify that the network access policy was created by browsing the policies that are available for your Key Protect instance.
$ curl -X GET \
"https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" \
-H "accept: application/vnd.ibm.kms.policy+json" \
-H "authorization: Bearer <IAM_token>" \
-H "bluemix-instance: <instance_ID>"
Disabling network access to your Key Protect instance with the console
If you prefer to disable a network access policy on your instance by using a graphical interface, you can use the IBM Cloud console.
After creating a network access policy, complete the following steps to disable a network access policy:
-
Go to Menu > Resource List to view a list of your resources.
-
From your IBM Cloud resource list, select your provisioned instance of Key Protect.
-
On the Instance policies page, use the Policies table to browse the policies in your Key Protect instance.
-
Click the ⋯ icon to open a list of options for the policy that you want to disable.
-
From the options menu, click Disable policy and confirm the policy was disabled in the updated Policies table.
What's next
These are API references to set and list instance policies.