IBM Cloud Docs
Setting access policies

Setting access policies

IBM Cloud® Functions is deprecated. Existing Functions entities such as actions, triggers, or sequences will continue to run, but as of 28 December 2023, you can’t create new Functions entities. Existing Functions entities are supported until October 2024. Any Functions entities that still exist on that date will be deleted. For more information, see Deprecation overview.

Access to IBM Cloud® Functions service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). For Cloud Functions, your Cloud Functions namespace is considered to be your service instance. Every user that accesses Cloud Functions entities in your namespace must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the namespace that you select. The actions are then mapped to IAM user roles. If you created the namespace, then you do not need to set any IAM policies to view or work with your Cloud Functions entities.

Cloud Functions uses both the Platform and Service management roles. You can set policies about who can create namespaces at the platform level, and use the service roles to manage interaction with the namespaces themselves.

How do I set IAM policies so that others can work with my namespace?

In order for others to work with entities in your namespace, you must to set the appropriate IAM policies in the console or with the CLI.

The minimum Platform level access is Viewer. The minimum Service level access is Reader. For more information about Platform and Service level access roles, see Platform management roles and Service-specific roles.

Want to learn more about IAM key concepts? Check out the IAM overview or the Best practices for assigning access.

How do I set IAM policies so that others can create namespaces in my account?

To allow other users to manage Cloud Functions namespaces, including creating new namespaces, you must set the following access policies for those users.

  • The user's Platform role must be set to Administrator. This policy applies to all resources of Cloud Functions.
  • The user's Service role must be set to Manager. This policy applies to all resources of Cloud Functions.

How do I know which access policies have set for me?

You can see which access policies have been set for you in the IBM Cloud catalog console.

  1. From the console, click Manage > Access (IAM) > Users. Or, navigate to https://cloud.ibm.com/iam/users.
  2. Click your name in the user table.
  3. Click the Access policies tab to see your access policies.

Platform management roles

The following table details the actions that are mapped to platform management roles. Platform management roles enable users to perform tasks on service resources at the platform level. For example, assign user access for the service, create or delete service IDs, create instances, and bind instances to applications.

For more information about how to assign, edit, review, or delete resource access policies, see IAM access.

Table 1. Platform roles
Platform role Description
Viewer The Viewer role is a required role that allows users to work with namespaces of other accounts. You can also add the appropriate service-specific role for a namespace as described below.
Administrator Administrators can create namespaces. The Administrator role is required to perform the service ID and API key lock operations during creation of the service.

Service-specific roles

Service-specific roles determine the scope of an access policy within a specific service. For Cloud Functions, the roles can apply to a users ability to use the service, such as accessing the console or performing API calls.

Permissions build on each other. For example, any operation that the Writer role is able to perform, the Manager role also can. However, the Manager role has additional permissions. To see the general permissions for each role, check out Service access roles.

To see which roles are required to perform each operation, check out the following table.

Table 2. Which roles can perform which operations?
Action Reader Writer Manager
functions.namespaces.update
Update a namespace.
Yes
functions.namespaces.delete
Delete a namespace.
Yes
functions.namespaces.read
View the available namespaces.
Yes Yes Yes
functions.entities.create
Create an entity within a Functions namespace, such as a package, action, trigger, or rule.
Yes Yes
functions.entities.update
Update an entity within a Functions namespace, such as a package, action, trigger, or rule.
Yes Yes
functions.entities.delete
Delete an entity from a Functions namespace, such as a package, action, trigger, or rule.
Yes Yes
functions.entities.read
View the available entities within a namespace, such as package, action, trigger, or rule.
Yes Yes Yes
functions.entities.activate
Activate an entity within a namespace. Activate entities, for example, by invoking an action, firing a trigger, or enabling or disabling a rule.
Yes Yes Yes

Setting access policies for a service ID

When you create an IAM-based namespace, it is assigned a service ID. You can set an access policy for this ID so that the API key of that service ID can be used to generate an IAM token. Then, use the token in an action code to call other services, such as IBM Cloud Object Storage.

Setting access policies for a service ID in the console

You can set an access policy for a service ID by using the IAM console.

  1. Open the IAM Service ID page.
  2. In the Service IDs list, select your Cloud Functions namespace.
  3. On the Manage page, click Access policies, then click Assign access.
  4. Next, select an Access Type. You can choose from the following options.
    • Assign access within a resource group: Use this option to grant your Cloud Functions service ID access to a resource group.
    • Assign access to resources: Use this option to grant your Cloud Functions service ID access to a specific resource, like an instance of IBM Cloud Object Storage.
    • Assign access to account management services: Use this option to grant your Cloud Functions service ID access to account management services such as billing, user management, and more.

Setting an access policy for your Cloud Functions service ID through the CLI

Set an access policy for a service ID by using the CLI.

Copy the following command. Replace <namespace_service_ID> with the name of your Cloud Functions namespace. Replace <IAM_role1,IAM_role2> with the IAM roles you want to assign to your namespace. Replace <other_service_name> with the name of the IBM service you want Cloud Functions to work with. Replace <other_service_GUID> with the GUID of the IBM service instance.

ibmcloud iam service-policy-create <namespace_service_ID> --roles <IAM_role1,IAM_role2> --service-name <other_service_name> --service-instance <other_service_GUID>
Table 1. Understanding the command components
Option Description
<namespace_service_ID> The service ID for the namespace. To see all service IDs, run ibmcloud iam service-ids.
<IAM_role> The type of IAM service access role that the action must have to use the target service. To see the supported roles for the other service, run ibmcloud iam roles --service SERVICE_NAME. For more information, see IAM access roles.
--service-name <other_service_name> The name of the other IBM Cloud service name.
--service-instance <other_service_GUID> The GUID of the other service instance that you want the action to have access to. To get the service instance GUID, run ibmcloud resource service-instance <other_service_instance_name>.

For more information, see the service-policy-create command reference.

Next steps
For more information about managing service credentials, see the Manage service credentials for serverless applications blog.