What permissions do I need to manage storage and create PVCs?
Virtual Private Cloud Classic infrastructure
When you create a PVC, the PVC remains pending. When you run oc describe pvc <pvc_name>
, you see an error message similar to the following:
User doesn't have permissions to create or manage Storage
The IAM API key or the IBM Cloud infrastructure API key that is stored in the storage-secret-store
Kubernetes secret of your cluster does not have all the required permissions to provision persistent storage.
-
Retrieve the IAM key or IBM Cloud infrastructure API key that is stored in the
storage-secret-store
Kubernetes secret of your cluster and verify that the correct API key is used.oc get secret storage-secret-store -n kube-system -o yaml | grep slclient.toml: | awk '{print $2}' | base64 --decode
Example output
[Bluemix] iam_url = "https://iam.cloud.ibm.com" iam_client_id = "bx" iam_client_secret = "bx" iam_api_key "IAM-API-KEY" refresh_token = "" pay_tier = "paid" containers_api_route = "https://us-south.containers.cloud.ibm.com" encryption = true containers_api_route_private = "https://private.us-south.containers.cloud.ibm.com" [Softlayer] encryption = true softlayer_username = "" softlayer_api_key = "" softlayer_endpoint_url = "https://api.service.softlayer.com/rest/v3" softlayer_iam_endpoint_url = "https://api.service.softlayer.com/mobile/v3" softlayer_datacenter = "dal10" softlayer_token_exchange_endpoint_url = "https://iam.cloud.ibm.com"
The IAM API key is listed in the
Bluemix.iam_api_key
section of your CLI output. If theSoftlayer.softlayer_api_key
is empty at the same time, then the IAM API key is used to determine your infrastructure permissions. The IAM API key is automatically set by the user who runs the first action that requires the IAM Administrator platform access role in a resource group and region. If a different API key is set inSoftlayer.softlayer_api_key
, then this key takes precedence over the IAM API key. TheSoftlayer.softlayer_api_key
is set when a cluster admin runs theibmcloud oc credentials-set
command. -
If you want to change the credentials, update the API key that is used.
- Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
- To update the IAM API key, use the
ibmcloud oc api-key reset
command. To update the IBM Cloud infrastructure key, use theibmcloud oc credential set
command. - Wait about 10 - 15 minutes for the
storage-secret-store
Kubernetes secret to update, then verify that the key is updated.oc get secret storage-secret-store -n kube-system -o yaml | grep slclient.toml: | awk '{print $2}' | base64 --decode
-
If the API key is correct, verify that the key has the correct permission to provision persistent storage.
- Contact the account owner to verify the permission of the API key.
- As the account owner, select Manage > Access (IAM) from the navigation in the IBM Cloud console.
- Select Users and find the user whose API key you want to use.
- From the actions menu, select Manage user details.
- Go to the Classic infrastructure tab.
- Expand the Account category and verify that the Add/ Upgrade Storage (Storage Layer) permission is assigned.
- Expand the Services category and verify that the Storage Manage permission is assigned.
-
Remove the PVC that failed.
oc delete pvc <pvc_name>
-
Re-create the PVC.
oc apply -f pvc.yaml