IBM Cloud Docs
Establishing service-to-service authorization

Establishing service-to-service authorization

To configure DNS sharing for VPE gateways between hub and DNS-shared VPCs on different accounts, the hub VPC administrator must establish an IAM service-to-service (s2s) authorization policy. For more information, see Using authorizations to grant access between services.

Notes:

  • If a DNS-shared VPC and the hub VPC are using the same or different accounts, as the hub VPC administrator, you must create an IAM service-to-service authorization policy that gives this DNS-shared VPC the DNSBindingConnector permission on the hub VPC.
  • Currently, the UI allows only All VPC instances to have the DNSBindingConnector permission on the hub VPC. To indicate a "specific" VPC, you must use the API or wrap an API request in a JSON file to use with the CLI. Example code is provided for use with the CLI and API.

You can establish s2s authorization with the UI, CLI, API, or Terraform.

Creating an IAM s2s authorization policy in the UI

To create an IAM s2s authorization policy in the UI, follow these steps:

  1. In the IBM Cloud console, go to Manage > Access (IAM). The IBM Cloud Identity and Access Management page displays.

  2. From the side panel, select Authorizations.

  3. On the Manage authorizations page, click Create.

  4. On the Grant a service authorization page, select source account.

    • If you're setting up authorization in your account, select This account.
    • If you're setting up authorization in the enterprise account, select Other account.

  5. For the source service, select VPC Infrastructure Services from the list.

  6. Select the scope. Choose Specific resources.

  7. Select Resource type. From the list, select Virtual Private Cloud.

  8. Select Source service instance. Choose All instances.

    To select a specific instance, you must use the CLI or API instructions. This is a known limitation.

  9. For the target service, select VPC Infrastructure Services from the list.

  10. Select the scope. Choose Specific resources.

  11. Click Resource type. From the list, select Virtual Private Cloud.

  12. In the Roles section under Service access, select DNSBindingConnector.

  13. Click Authorize.

  14. When you are returned to the Manage authorizations page, click Create again and follow the same steps to set up authorizations for the other two services.

Creating an IAM s2s authorization policy from the CLI

To create an IAM s2s authorization policy from the CLI, follow these steps:

  1. Set up your CLI environment.

  2. Log in to your account with the CLI. After you enter the password, the system prompts which account and region that you want to use:

    ibmcloud login --sso

  3. Create an IAM s2s authorization policy:

    ibmcloud iam authorization-policy-create is DNSBindingConnector --source-resource-type vpc --target-resource-type vpc

Indicating a specific VPC instance from the CLI

If a DNS-shared VPC and the hub VPC are using the same account, as the hub VPC administrator, you must create an IAM service-to-service authorization policy that gives this DNS-shared VPC the DNSBindingConnector permission on the hub VPC.

Currently, the UI Source service instance only allows All VPC instances to have the DNSBindingConnector permission on the hub VPC.

To indicate a specific VPC from the CLI, you must use a JSON file with API request content. For example:

ibmcloud iam authorization-policy-create --file JSON_FILE

Where the JSON_FILE contains:

{"type":"authorization","subjects":[{"attributes":[{"name":"accountId","value":"e38cfd44b6e44b249ac75dd5de0cc8aa"},{"name":"serviceName","value":"is"},{"name":"resourceType","value":"vpc"},{"name":"resource","value":"r134-fd189c4f-52a0-4694-abfd-186cb6011a3c"}]}],"roles":[{"role_id":"crn:v1:bluemix:public:is::::serviceRole:DNSBindingConnector"}],"resources":[{"attributes":[{"name":"accountId","value":"e38cfd44b6e44b249ac75dd5de0cc8aa"},{"name":"serviceName","value":"is"},{"name":"vpcId","value":"r134-ffaedf75-4f44-4ead-989d-cd37816a13d2"}]}]}

Creating an IAM s2s authorization policy with the API

To create an IAM s2s authorization policy with the API, follow these steps:

  1. Set up your API environment.

  2. Store the following values in variables to be used in the API commands:

    export dns_shared_account_id=<dns_shared_vpc_account_id>
export hub_account_id=<hub_vpc_account_id>
export dns_shared_vpc_id=<dns_shared_vpc_id>
export hub_vpc_id=<hub_vpc_id>

  3. To create and delete a DNS resolution binding between hub and DNS-shared VPCs across different accounts, a s2s policy must exist in the hub VPC account. This gives the DNS-shared VPC a DNSBindingConnector role on the hub VPC. To create the s2s policy, refer to the policies method in the IAM Policy Management API

Example request

{
  "type": "authorization",
  "subjects": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "'$dns_shared_account_id'"
        },
        {
          "name": "serviceName",
          "value": "is"
        },
        {
          "name": "resourceType",
          "value": "vpc"
        },
        {
          "name": "resource",
          "value": "'$dns_shared_vpc_id'"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:is::::serviceRole:DNSBindingConnector"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "'$hub_account_id'"
        },
        {
          "name": "serviceName",
          "value": "is"
        },
        {
          "name": "vpcId",
          "value": "'$hub_vpc_id'"
        }
      ]
    }
  ]
}

Command example

curl -sX POST "$iam_api_endpoint/v1/policies" -H "Authorization: Bearer ${iam_token}" -d '$request_body'

Indicating a specific VPC instance with the API

If a DNS-shared VPC and the hub VPC are using the same account, as the hub VPC administrator, you must create an IAM service-to-service authorization policy that gives this DNS-shared VPC the DNSBindingConnector permission on the hub VPC.

Currently, the UI Source service instance only allows All VPC instances to have the DNSBindingConnector permission on the hub VPC.

Here is a sample API to grant the DNS-shared VPC to have DNSBindingConnector permission on the hub VPC. Note that the role_id is crn:v1:bluemix:public:is::::serviceRole:DNSBindingConnector.

{
"type": "authorization",
"subjects": [
{
"attributes": [
{ "name": "accountId", "value": "Account S (Spoke)" }
 ,
   { "name": "serviceName", "value": "is" }
 ,
{ "name": "resourceType", "value": "vpc" }
 ,
{ "name": "resource", "value": "Spoke VPC ID" }
 ]
}
],
"roles": [
{ "role_id": "crn:v1:bluemix:public:is::::serviceRole:DNSBindingConnector" }
 ],
"resources": [
{
"attributes": [
{ "name": "accountId", "value": "Account H (Hub)" }
 ,
{ "name": "serviceName", "value": "is" }
 ,
{ "name": "vpcId", "value": "Hub VPC ID" }
 ]
}
]
}

Creating an IAM s2s authorization policy with Terraform

You can use Terraform to create an IAM s2s authorization policy.

To use Terraform, download the Terraform CLI and configure the IBM Cloud Provider plug-in. For more information, see Getting started with Terraform.

VPC infrastructure services use a regional specific endpoint, which targets us-south by default. If you create your VPC in another region, make sure to target the appropriate region in the provider block of the provider.tf file.

See the following example of targeting a region other than the default us-south.

resource "ibm_iam_authorization_policy" "policy" {

  #"DNSBindingConnector",

  roles = [

    "DNS Binding Connector",

  ]

    subject_attributes {

        name  = "accountId"

        value = "var.accountId1"

    }

    subject_attributes {

        name  = "serviceName"

        value = "is"

    }

     subject_attributes {

        name  = "resourceType"

        value = "vpc"

    }

    subject_attributes {

        name  = "resource"

        value = ibm_is_vpc.spoke_vpc.id

    }

    resource_attributes {

        name     = "accountId"

        value    =  "var.accountId2"

    }

    resource_attributes {

        name     = "serviceName"

        value    = "is"

    }

   resource_attributes {

      name  =  "vpcId"

      value =  ibm_is_vpc.hub_vpc.id

   }

}