IBM Cloud Docs
Setting up IBM Cloudability Enablement Deployable Architecture

Setting up IBM Cloudability Enablement Deployable Architecture

Running the IBM Cloudability Enablement Deployable Architecture(DA) requires authorization inputs from the IBM Cloud account. An IBM Cloudability API key is also needed to add your IBM Cloud account to IBM Cloudability. Follow these instructions to help create and manage your API keysA unique code that is used to authenticate and authorize API requests. The code is passed to an API to identify the calling application or user and to track and control how the API is used..

Authentication to IBM Cloudability is not required to run the deployable architecture. You can configure the deployable architecture(DA) to create the infrastructure and manually add the IBM Cloud account to Cloudability through its UI or re-configure the DA to add the IBM Cloud account to Cloudability later. See the Cloudability configuration reference for more details.

Cloudability authorization

The Cloudability Enablement DA supports two types of authentication to Cloudability:

  1. Cloudability API key (simpler)
  2. Access Administration API key (more secure)

You must use the Access Administration API key approach to authenticate with Cloudability if you are using a GovCloud Cloudability environment.

Before you begin

Ensure that your Cloudability user has an Administrator role so that it has sufficient permissions to add vendor accounts to Cloudability. If you don't have access to a Cloudability account, then visit the guide on accessing your Cloudability account.

Create your API Key as a functional user (for example: cloudability-integration) with access to add cloud vendors.

Securely store your API Key in IBM Cloud Secrets Manager as an arbitrary key. Secrets Manager makes it easier to rotate the API key and allows it to be referenced in IBM® Projects without exposing the key in your DA configurations.

Option 1: Acquiring a Cloudability api key

The Cloudability API key is the easiest way to authenticate with Cloudability. However, it is considered less secure than using the Frontdoor open token authentication. A logged in user can retrieve a Cloudability API key from the Cloudability account preferences. Use the following steps to create your API key:

  1. Log in to your Cloudability account.
  2. Click the profile icon in the upper right corner to navigate to the Settings page.
  3. Select Manage Profile.
  4. Select the Preferences tab to reveal the Cloudability API section on the right.
  5. If an API Key is not viewable, click Enable Access to reveal the API Key displayed in the text box.
  6. Copy and securely store the API Key for the next step of configuring the DA.

See the Cloudability getting started API documentation for more details.

Option 2: Acquiring an Access Administration API key

The Access Administration API key is the more secure approach to authenticate with Cloudability. It also allows creating multiple api keys, which can be used to rotate API Keys. However, using Access Administration authentication requires additional inputs to configure the deployable architecture.

A logged in user can create an Access Administration API key from the frontdoor user profile. Use the following steps to create your API key:

  1. In the User Profile page, select the API Keys tab.
  2. Select Create API Key, which displays a dialog.
  3. Type a Key Name and Description.
  4. Select an expiration policy, and select Confirm.
  5. Note the public key. Select the copy icon to copy the secret key. You can only access the secret key while creating the API key. Store the public key and secret key as an arbitrary key in Secrets Manager to be accessed later.
  6. Click Grant Access on the newly created API Key in the table of API Keys
  7. Select the desired environment from the list of environments and then click Next
  8. Select roles for the API key. Select Next, and then select Confirm.
  9. In the User Profile page, select the Environment Access tab.
  10. Note the Environment Id below the environment name in the table of Environments and the corresponding API Keys. Save the Environment Id when configuring the DA.

See the Cloudability access administration documentation for more details and FAQ on Access Administration API keys.

Configuring IBM Cloud IAM permissions

Authorization needs to be granted to either a trusted profile, user, or service ID, which is referred to as an operator. This operator is associated with the Project so that it has the permissions to run the Cloudability deployable architecture.

For enterprise accounts the IAM credentials only need to be configured in the primary Enterprise account to allow IBM Cloudability to access billing reports for all current and future accounts within the IBM Cloud Enterprise. It is unnecessary to independently add each account within the enterprise.

Before you begin

If you have the following access, you can create access credentials to run the DA:

  • Account owner
  • Administrator role on all account management services
  • Administrator role on the IAM Identity Service. For more information, see IAM Identity service

Required policies

Add the access policies to an access group rather than directly adding the policies to your DA operator (trusted profile, user, or service ID.).

The following access policies are necessary to run the DA.

Access Policies
Service Platform Roles Service Roles Reason
IBM Cloud Object Storage Administrator Writer, ObjectReader The Writer role is needed to create/delete and configure a bucket in a Object Storage instance. The Administrator role is needed to create the iam policy, which grants IBM Cloud access to read the billing reports in the bucket and to create the service authorization between Billing and IBM Cloud Object Storage. ObjectReader is needed to read the list of objects in the bucket in order to validate that billing reports are added to the bucket.
Key Protect Editor Manager Used to create a key and key ring in a Key Protect instance for bucket encryption.
Billing Administrator N/A Used to configure account billing exports to the IBM Cloud Object Storage bucket
IAM Access Management Administrator N/A
  1. Create custom iam roles for least privileged access for IBM Cloudability.
  2. Create service authorizations between Object Storage and Key Protect and between Billing and IBM Cloud Object Storage.
  3. Ability to grant policies to the Cloudability service ID to read the billing reports from the bucket.
Enterprise Administrator N/A Only for enterprise accounts. Used to manage the iam policy for IBM Cloudability to view the list of child accounts.
All Account Management Administrator N/A Only if the DA is creating a new Resource Group to provision resources. Administrator is needed (as opposed to the Editor role) to delete the resource group in the event of deprovisioning. Alternatively resources can be placed in an existing resource group in which case access needs to be granted to that resource group. See giving access to resources in resource groups for more details.

Using an access groups

  1. Create an access group
  2. Assign the access policies from Table 1 to the access group.
  3. Add the Operator (user, service ID, trusted profile) as a member of the access group.
  4. Create an API Key if the Operator is a user or service ID. Alternatively use IBM Secrets Manager to manage the IAM credentials of your service ID.

It is recommended to store any user or service API keys in Secrets Manager. Secrets manager allows you to easily rotate credentials and prevents exposing highly privileged credentials to any users who are responsible for the running and management of the project that is used to run the DA.

Using a trusted profile

  1. Create a Project
  2. Create a Trusted Profile for the Project
  3. Assign the access policies from Table 1 and the trusted profile policies that are needed by Projects to the trusted profile.
  4. Copy the the trusted profile ID for the next step to deploy the DA

Next steps

You are now ready to run the deployable architecture by using IBM Cloud Projects.