IBM Cloud Docs
Configuring a trusted profile for cluster components

Configuring a trusted profile for cluster components

You can use trusted profiles to control access to your resources, including components such as Block Storage, File Storage, or Cloud Object Storage.

About trusted profiles

By using trusted profiles, you can establish a flexible, secure way for federated users to access the IBM Cloud resources in your account. All federated users that share certain attributes defined in your corporate user directory are mapped to a common profile and can share access to IBM Cloud resources. This common identity makes it possible to give the members of your organization that share access requirements automatic access to resources one time, rather than having to add each user to an account and then grant them access directly or by using access groups.

Benefits of trusted profiles include:

Eliminating the need for long-lived API keys
Grant access to your resources based on a trusted relationship that you establish when you create the trusted profile rather than embedded API keys. This reduces the risk of compromised or leaked credentials.
Centralized access control
Manage permissions through a single trusted profile for a simplified process of granting, revoking, or auditing access.
Scoped permissions
Adhere to the principle of least privilege by creating profiles with the exact minimum permissions required to complete a specific task.

Minimum access requirements

A minimum set of access policies are required for a trusted profile to be used for your storage components.

Minimum requirements for all storage components

Create a trust relationship with the following configuration. These permissions are required for VPC clusters.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Create access policies with the permissions in the following table.

Minimum permissions for all components
Service name Required permission Description
Billing Editor Allows viewing and managing billing data such as usage, cost, and reports. Useful for automated cost tracking or budget-aware operations.
Kubernetes service Administrator Enables Kubernetes clusters to interact with storage resources.
VPC Infrastructure service Writer, Editor, Snapshot Remote Account Restorer Enables provisioning and management of storage resources.
Resource group Viewer Specify the resource group where the trusted profile is applied. For operations across multiple resource groups, you must specify all relevant resource groups. Note that if you are creating a custom storage class with the resource group, you must also assign Viewer access to the trusted profile for the resource group.

Additionally, if you plan to use Classic infrastructure you must enable the Add/Upgrade Storage (Storage Layer) and Storage Manage permissions. To enable these permissions, navigate to the Trusted profile dashboard in the UI and select the relevant trusted profile. Click Classic infrastructure, then expand the options under Sales and Devices to find the permission.

Minimum requirements for individual storage components

VPC block storage

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Create access policies with the permissions in the following table.

Minimum permissions for VPC block storage
Service name Required permission Description
Kubernetes service Operator Enables Kubernetes clusters to interact with block storage resources.
VPC Infrastructure service Writer, Editor, Snapshot Remote Account Restorer Enables provisioning, management, and cross snapshot operations for block storage resources.
Resource group Viewer Specify the resource group where the trusted profile is applied. For operations across multiple resource groups, you must specify all relevant resource groups. Note that if you are creating a custom storage class with the resource group, you must also assign Viewer access to the trusted profile for the resource group.

Classic block storage

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Add the permissions in the following table. To enable these permissions, you must use the UI. Navigate to the Trusted profile dashboard in the UI and select the relevant trusted profile. Click Classic infrastructure, then expand the options to find the permissions.

Minimum permissions for Classic Block storage
Service name Required permission Description
Devices Storage Manage Enables attachment, detachment, and configuration of Classic block storage on devices.
Sales Add/Upgrade Storage(Storage Layer) Grants permission to order, upgrade, or modify Classic storage offerings via the Sales APIs.

Compute service type in compute resource tab instead of Compute resources

VPC file storage

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Create access policies with the permissions in the following table.

Minimum permissions for VPC File storage
Service name Required permission Description
Kubernetes service Operator Enables Kubernetes clusters to interact with file storage resources.
VPC Infrastructure service Writer, Editor Enables provisioning and management of file storage resources.
Resource group Viewer Specify the resource group where the trusted profile is applied. For operations across multiple resource groups, you must specify all relevant resource groups. Note that if you are creating a custom storage class with the resource group, you must also assign Viewer access to the trusted profile for the resource group.

Classic file storage

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Add the permissions in the following table. To enable these permissions, you must use the UI. Navigate to the Trusted profile dashboard in the UI and select the relevant trusted profile. Click Classic infrastructure, then expand the options to find the permissions.

Minimum permissions for Classic File storage
Service name Required permission Description
Devices Storage Manage Enables attachment, detachment, and configuration of Classic block storage on devices.
Sales Add/Upgrade Storage(Storage Layer) Grants permission to order, upgrade, or modify Classic storage offerings via the Sales APIs.

Cluster autoscaler

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Create access policies with the permissions in the following table.

Minimum permissions for cluster autoscaler
Service name Required permission Description
Kubernetes service Administrator Enables Kubernetes clusters to interact with auto-scaler components.

Object Storage

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Create access policies with the permissions in the following table.

Minimum permissions for Object storage
Service name Required permission Description
Kubernetes service Reader, Viewer Enables Kubernetes clusters to interact with the COS plug-in.
VPC Infrastructure service Reader, Viewer Enables the communication with VPC to get API calls.
Resource group Viewer Specify the resource group where the trusted profile is applied. For operations across multiple resource groups, you must specify all relevant resource groups.

ODF billing agent

Create a trust relationship with the following configuration.

  • Compute service type (found under the Compute resource tab in the UI) :
    • Kubernetes
    • Red Hat OpenShift
  • Trusted namespace: kube-system.

Create access policies with the permissions in the following table.

Minimum permissions for ODF billing agent
Service name Required permission Description
Billing Editor Billing service. Allows viewing and managing billing data such as usage, cost, and reports. Useful for automated cost tracking or budget-aware operations.
Kubernetes service Editor Enables Kubernetes clusters to interact with block storage.
VPC Infrastructure service Editor, Writer Allows provisioning and management of storage resources.
Resource group Viewer Specify the resource group where the trusted profile is applied. For operations across multiple resource groups, you must specify all relevant resource groups.

Set up a trusted profile in the CLI

Follow the steps to create and set up a trusted profile in the CLI.

Once you add a trusted profile to a cluster, it cannot be removed and you cannot resume using an API key for your resources. Make sure you follow these steps carefully to ensure that your trusted profile is set up correctly.

  1. Log in to the IBM Cloud CLI.

    ibmcloud login --apikey <API_KEY> -g <RESOURCE_GROUP>

  2. Run the command to create a trusted profile. For a complete list of command options, see the IAM CLI docs.

    ibmcloud iam trusted-profile-create NAME --description "Identity for storage"

  3. Attach a rule to scope usage to the kube‑system namespace. For a complete list of command options, see the IAM CLI docs.

    ibmcloud iam trusted-profile-rule-create --name NAME --type Profile-CR --cr-type ROKS_SA  --conditions claim:namespace,operator:EQUALS,value:kube-system

  4. For VPC clusters: Create and assign access policies to the trusted profile. This example assigns the minimum permissions required for all storage components. For a list of permissions required for individual components only, see Minimum requirements for individual storage components. Specify the name or ID of the trusted profile you want to assign the policy to. For a complete list of command options, see the IAM CLI docs. This step does not apply to classic clusters. Add policies for the VPC Infrastructure service.

    ibmcloud iam trusted-profile-policy-create NAME|ID  --roles Editor,Writer --service-name is

    Add policies for the billing service.

    ibmcloud iam trusted-profile-policy-create NAME|ID --roles Editor --service-name billing

    Add policies for the Kubernetes service.

    ibmcloud iam trusted-profile-policy-create NAME|ID --roles Administrator --service-name "containers-kubernetes"

    Add policies for the relevant resource group that the trusted profile is applied to. Specify the resource group that the trusted profile is applied to.

    ibmcloud iam trusted-profile-policy-create NAME|ID --roles Operator  --resource-type "resource-group" --resource "my-resource-group"

  5. For classic clusters: Run the command to add the minimum required permissions to the trusted profile. Specify the user ID that is created for the trusted profile.

    ibmcloud oc sl user permission-edit TRUSTED_PROFILE_ID --permission NAS_MANAGE,ADD_SERVICE_STORAGE

  6. After you have created the trusted profile and assigned the required access policies, set the trusted profile for either the cluster or the resource group that your clusters are in. Setting the trusted profile applies it to your storage components.

Set up a trusted profile with the UI

Follow the steps to create and set up a trusted profile in the CLI.

Once you add a trusted profile to a cluster, it cannot be removed and you cannot resume using an API key for your resources. Make sure you follow these steps carefully to ensure that your trusted profile is set up correctly.

  1. Log in to your IBM Cloud account and navigate to the Trusted Profiles page.

  2. Create a trusted profile.

  3. Create a trust relationship with the Red Hat OpenShift on IBM Cloud service.

    1. In the Select trusted entity type section, click Compute resources.
    2. Under Create trust relationship, choose Red Hat OpenShift.
    3. Select All service resources. Then add a condition to allow access when Namespace is Equal to kube-system.
      • Note: You can instead choose specific resources that exist in your account.

  4. Click Create.

  5. VPC only. Add access policies to the trusted profile.

    1. From the Trusted profiles page, click the trusted profile you just created.
    2. From the Access tab, click Assign access.
    3. In the How do you want to assign access? section, click Access policy.
    4. Add the services and roles to meet the minimum requirements for the relevant components. Apply the policy to all resources.

  6. Classic only. Add permissions to the trusted profile.

    1. From the Trusted profiles page, click the trusted profile you just created.
    2. Navigate to the Classic Infrastructure tab.
    3. In the permissions drop down, select the required permissions to meet the minimum requirements for the relevant components.

Set up a trusted profile with the API

  1. Create a trusted profile.

    curl --request POST \
--url https://iam.test.cloud.ibm.com/v1/profiles \
--header 'Content-Type: application/json' \
--data '{
    "name":"<PROFILE_NAME>",
    "account_id":"<ACCOUNT_ID>"
}'

  2. Attach a rule to scope usage to the kube‑system namespace.

    curl --request POST \
--url https://iam.test.cloud.ibm.com/v1/profiles/<PROFILE_NAME>/rules \
--header 'Content-Type: application/json' \
--data '{
    "type": "Profile-CR",
    "cr_type":"ROKS_SA",
    "conditions": [
        {
            "claim": "namespace",
            "operator": "EQUALS",
            "value": "\"kube-system\""
        }
    ]
}'

  3. For VPC clusters: Attach access policies to VPC components. These examples assign the minimum permissions required for all storage components.

    curl --request POST \
--url https://iam.test.cloud.ibm.com/v1/policies \
--header 'Content-Type: application/json' \
--data '{
    "type": "access",
    "description": "Writer, Operator role for VPC infrastructure services",
    "subjects": [
        {
            "attributes": [
                {
                    "name": "iam_id",
                    "value": "<IAM_PROFILE>"
                }
            ]
        }
    ],
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Writer"
        },
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "<ACCOUNT_ID>"
                },
                {
                    "name": "serviceName",
                    "value": "is"
                }
            ]
        }
    ]
}'

    curl --request POST \
--url https://iam.test.cloud.ibm.com/v1/policies \
--header 'Content-Type: application/json' \
--data '{
    "type": "access",
    "description": "Editor role for billing services",
    "subjects": [
        {
            "attributes": [
                {
                    "name": "iam_id",
                    "value": "<IAM_PROFILE>"
                }
            ]
        }
    ],
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "<ACCOUNT_ID>"
                },
                {
                    "name": "serviceName",
                    "value": "billing"
                }
            ]
        }
    ]
}'

    curl --request POST \
--url https://iam.test.cloud.ibm.com/v1/policies \
--header 'Content-Type: application/json' \
--data '{	
    "type": "access",
    "description": "Administrator role for containers-kubernetes services",
    "subjects": [
        {
            "attributes": [
                {
                    "name": "iam_id",
                    "value": "<IAM_PROFILE>"
                }
            ]
        }
    ],
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "<ACCOUNT_ID>"
                },
                {
                    "name": "serviceName",
                    "value": "containers-kubernetes"
                }
            ]
        }
    ]
}'

    curl --request POST \
--url https://iam.test.cloud.ibm.com/v1/policies \
--header 'Content-Type: application/json' \
--data '{	
    "type": "access",
    "subjects": [
        {
            "attributes": [
                {
                    "name": "iam_id",
                    "value": "<IAM_PROFILE>"
                }
            ]
        }
    ],
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Operator"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "<ACCOUNT_ID>"
                },
                {
                    "name": "resource",
                    "value": "<RESOURCE_GROUP_ID>"
                },
                {
                    "name": "resourceType",
                    "value": "resource-group"
                },
            ]
        }
    ]
}

  4. For classic clusters: Add permissions to the trusted profile by using the UI.

    1. Log in to your IBM Cloud account and navigate to the Trusted Profiles page.
    2. Click the trusted profile you just created.
    3. Navigate to the Classic Infrastructure tab.
    4. In the permissions drop down, select the required permissions to meet the minimum requirements for the relevant components.

Setting the trusted profile for a cluster or resource group

When you set a trusted profile for your cluster, it applies to your storage components. You can set a trusted profile for an individual cluster, or to a resource group.

Once you add a trusted profile to a cluster, it cannot be removed and you cannot resume using an API key for your resources. Make sure you follow these steps carefully to ensure that your trusted profile is set up correctly.

  1. Make sure you have created a trusted profile that meets the minimum requirements for storage components.

  2. Assign the trusted profile to your cluster, or to the resource group that your cluster is in. If you assign a trusted profile to a resource group, it applies to all clusters in the resource group.

    To assign a trusted profile to a cluster.

    ibmcloud oc experimental trusted-profile set --trusted-profile PROFILE --cluster CLUSTER [--output OUTPUT] [-q]
    --cluster CLUSTER
    The cluster ID to set the the trusted profile on. To get the cluster ID, run ibmcloud oc cluster get.
    --trusted-profile PROFILE
    The trusted profile ID. To get the trusted profile ID, run ibmcloud iam trusted-profiles.
    --output OUTPUT
    Prints the command output in the provided format. Accepted values: json
    -q
    Do not show the message of the day or update reminders.

    To assign a trusted profile to a resource group.

    ibmcloud oc experimental trusted-profile default set --region REGION --resource-group GROUP --trusted-profile PROFILE [--output OUTPUT] [-q]
    --region REGION
    The region where the resource group is located. To get the details of a resource group, run ibmcloud resource group.
    --resource-group GROUP
    The resource group ID to set the trusted profile on. To list your resource groups, run ibmcloud resource groups.
    --trusted-profile PROFILE
    The trusted profile ID. To get the trusted profile ID, run ibmcloud iam trusted-profiles.
    --output OUTPUT
    Prints the command output in the provided format. Accepted values: json.
    -q
    Do not show the message of the day or update reminders.

  3. Verify that the trusted profile has been added to the cluster.

    ibmcloud oc experimental trusted-profile get --cluster CLUSTER

    Example output.

    Fetching trusted-profile for the cluster...
OK
Cluster a1bc2de45fgh6ijklmn7op is configured with trusted-profile Profile-a12bc34-1111-1111-1234-a123bc456

Limitations and considerations

Review the following limitations and considerations before you use trusted profiles.

Irreversible transition to trusted profile
Once a trusted profile is configured at the cluster or resource group level, reverting to using an API key is not supported. Follow the steps carefully to ensure that the trusted profile is configured correctly.
Verification scope is limited to the kube-system namespace.
Trusted profile trust validation is currently limited to the kube-system namespace for Kubernetes and Red Hat OpenShift clusters. Users experimenting with other trusted profile features or configurations outside this scope may encounter issues.
User tags for VPC Block Storage volumes
Due to a known issue, updates to user tags on VPC Block Storage volumes might not be displayed when a trusted profile is implemented.