IBM Cloud Docs
Establishing service-to-service authorizations for the Backup service

Establishing service-to-service authorizations for the Backup service

Before you can create backup policies, you need to establish service-to-service authorizations and specify user roles. This authorization enables the Backup for VPC service to detect the tags, create backup snapshots and store them in Object Storage or with the source file share.

Overview

For IBM Cloud Backup for VPC service to work, you need to provide an authorization for the service. In an authorization, the source service is the service that is granted access to the target service. The roles that you select define the level of access for the source service. The target service is the service that you are granting permission to be accessed by the source service based on the roles that you assign. A source service can be in the same account where the authorization is created or in another account. The target service is always in the account where the authorization is created.

To create a backup policy and for the backup jobs to run correctly, the Backup service needs to be authorized to work with Block Storage for VPC, Snapshots for VPC, and Virtual Server for VPC services.

If you are an Enterprise account administrator who wants to create a backup policy for your enterprise account and subaccounts, you also need to have authorization for the Backup service in the enterprise account to work with the Backup service in the subaccounts.

To create a backup policy and for the backup jobs to run correctly for File shares, the Backup service needs to be authorized to work with File Storage for VPC.

For more information about authorizations, see Using authorizations to grant access between services.

If you set up service authorizations incorrectly, the backup service cannot create the backup policies. For more information, see the troubleshooting topic Backup policy not created due to incorrect authorizations.

Creating authorization policies in the console

Creating authorization for volume backups at the account level

To create a service-to-service authorization policy, follow this procedure:

  1. In the IBM Cloud console, go to Manage > Access (IAM).

  2. From the side panel, select Authorizations.

  3. On the Manage authorizations page, click Create.

  4. In the Source section, select the Source account. As you're setting up authorization for the Backup service in your account, select This account. Click Next.

  5. For the source service, select VPC Infrastructure Services from the list. Click Next.

    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select IBM Cloud Backup for VPC.
    5. Click Next.

  6. For the target service, select VPC Infrastructure Services from the list. Click Next.

    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. Click Resource type. Select one of the following services. You need to create authorization for all of them.
    Service-to-service authorizations
    Source service - resource type Target service - resource type Dependent service user role
    IBM Cloud Backup for VPC Block Storage for VPC Operator
    IBM Cloud Backup for VPC Block Storage Snapshots for VPC Editor
    IBM Cloud Backup for VPC Multi Volume Snapshots for VPC Editor
    IBM Cloud Backup for VPC Virtual Server for VPC Operator

  7. Click Next.

  8. Select the role. See the table for the appropriate role.

  9. Click Review and inspect your choices.

  10. Click Authorize.

  11. When you are returned to the Manage authorizations page, click Create again and follow the same steps to set up authorizations for the remaining services.

Creating authorization for file share backups at the account level

New

To create a service-to-service authorization policy, follow this procedure:

  1. In the IBM Cloud console, go to Manage > Access (IAM).
  2. From the side panel, select Authorizations.
  3. On the Manage authorizations page, click Create.
  4. In the Source section, select the Source account. As you're setting up authorization for the Backup service in your account, select This account. Click Next.
  5. For the source service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select IBM Cloud Backup for VPC.
    5. Click Next.
  6. For the target service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. Click Resource type. Select File Storage for VPC.
  7. Click Next.
  8. Select the roles: Editor, Operator, Share Snapshot Operator.
  9. Click Review and inspect your choices.
  10. Click Authorize.

Creating cross-account authorization for backups managed by the Enterprise account from the child account

To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts. The following steps can be followed by the child account administrator to create the authorizations in their account locally.

  1. In the IBM Cloud console, go to Manage > Access (IAM).

  2. From the side panel, select Authorizations.

  3. On the Manage authorizations page, click Create.

  4. In the Source section, select the Source account. As you're setting up authorization for the Backup service of the enterprise account, select Specific account, and enter the Enterprise account's ID. Click Next.

  5. For the source service, select VPC Infrastructure Services from the list. Click Next.

    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select IBM Cloud Backup for VPC.
    5. Click Next.

  6. For the target service, select VPC Infrastructure Services from the list.

    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. Click Resource type. Select one of the services in Table 2.
    Service-to-service authorizations for the Enterprise
    Source service - resource type Target service - resource type Dependent service user role
    IBM Cloud Backup for VPC Block Storage for VPC Operator
    IBM Cloud Backup for VPC Block Storage Snapshots for VPC Editor
    IBM Cloud Backup for VPC Multi Volume Snapshots for VPC Editor
    IBM Cloud Backup for VPC Virtual Server for VPC Operator
    IBM Cloud Backup for VPC IBM Cloud Backup for VPC Editor
    IBM Cloud Backup for VPC New File Storage for VPC Editor, Operator, Share Snapshot Operator

  7. Click Next.

  8. Select the role. See Table 2 for the appropriate role.

  9. Click Review and inspect your choices.

  10. Click Authorize.

  11. When you are returned to the Manage authorizations page, click Create again and follow the same steps to set up authorizations for the remaining services.

Creating cross-account authorization templates for backups managed by the Enterprise

By using authorization templates, the Enterprise account administrator can create an authorization policy that can be assigned to the child accounts and implement the authorization in the assigned accounts without logging in to the child accounts individually.

  1. In the IBM Cloud console, go to Manage > Access (IAM) > Enterprise > Templates.
  2. Select Authorizations and click Create.
  3. Enter a name and description for the authorization template that describes its purpose for enterprise users.
  4. Enter a description for the enterprise-managed authorization policy that describes its purpose for child account users.
  5. Click Create.

Next, complete the following steps to build the authorization rules:

  1. Go to Authorization to specify the details of the authorization policy.

  2. Select the account from which the source service requests access to another service. Select Assigned account(s). When you assign the authorization template to a child account later, the source account is populated to the same account as the child account, which holds the resource that is accessed.

  3. Next, select the source service and resources.

    1. Select VPC Infrastructure Services from the list. Click Next.
    2. Select the scope by clicking Specific resources.
    3. Click Select an attribute.
    4. From the list, select Resource type.
    5. In the next field, select IBM Cloud Backup for VPC.

  4. For the target service, select VPC Infrastructure Services from the list.

    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type. Select one of the services in the following table. You need to create authorization for all of them.
    Service-to-service authorizations for the Enterprise
    Source service - resource type Target service - resource type Dependent service user role
    IBM Cloud Backup for VPC Block Storage for VPC Operator
    IBM Cloud Backup for VPC Block Storage Snapshots for VPC Editor
    IBM Cloud Backup for VPC Multi Volume Snapshots for VPC Editor
    IBM Cloud Backup for VPC Virtual Server for VPC Operator
    IBM Cloud Backup for VPC IBM Cloud Backup for VPC Editor
    IBM Cloud Backup for VPC New File Storage for VPC Editor, Operator, Share Snapshot Operator

  5. Click Next.

  6. Select the role. See the table for the appropriate role.

  7. Click Review and inspect your choices. Then, click Save.

  8. The template is now ready for you to commit and assign to child accounts. Repeat the steps to create authorization templates for all of the services.

Creating authorization for Event Notifications

To create a service-to-service authorization policy for Event Notifications, follow this procedure:

  1. In the IBM Cloud console, go to Manage > Access (IAM).
  2. From the side panel, select Authorizations.
  3. On the Manage authorizations page, click Create.
  4. In the Source section, select the Source account. As you're setting up authorization for the Backup service in your account, select This account. Click Next.
  5. For the source service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute and from the list, select Resource type.
    3. In the next field, select IBM Cloud Backup for VPC.
    4. Click Next.
  6. Select Event Notifications as the target service. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. Click serviceInstance.
    4. In the next field, select the string equals.
    5. In the next field, select the Event Notifications service instance that you want to authorize.
  7. Select the Event Source Manager role.
  8. Click Review and inspect your choices.
  9. Click Authorize.

Creating authorization policies from the CLI

Creating authorization for volume backups at the account level

To use Backup for VPC in your account to create policies, plans and run backup jobs for block storage volumes, create the following service-to-service authorizations:

  • backup-policy (source) to instance (target) with Operator role
  • backup-policy (source) to volume (target) with Operator role
  • backup-policy (source) to snapshot (target) with Editor role
  • backup-policy (source) to snapshot-consistency-group (target) with Editor role
  1. Create four JSON files with the following information for the authorization policies.
    • Instance service:
      {
  "type": "authorization",
  "subject": {
      {"attributes": [
           {"name": "accountId", "value": "ACCOUNT_ID"},
           {"name": "serviceName", "value": "is"},
           {"name": "resourceType", "value": "backup-policy"}]}},
  "roles": [
      {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}],
  "resources": [
      {"attributes": [
           {"name": "accountId", "value": "ACCOUNT_ID"},
           {"name": "serviceName", "operator": "stringEquals", "value": "is"},
           {"name": "instanceId", "operator": "stringEquals", "value": "*"}]}]
  }
    • Block Storage volume service:
      {
  "type": "authorization",
  "subject": {
      {"attributes": [
           {"name": "accountId", "value": "ACCOUNT_ID"},
           {"name": "serviceName", "value": "is"},
           {"name": "resourceType", "value": "backup-policy"}]}},
  "roles": [
      {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}],
  "resources": [
      {"attributes": [
           {"name": "accountId", "value": "ACCOUNT_ID"},
           {"name": "serviceName", "operator": "stringEquals", "value": "is"},
           {"name": "volumeId", "operator": "stringEquals", "value": "*"}]}]
}
    • Block Storage snapshot service:
      {
  "type": "authorization",
  "subject": {
      {"attributes": [
           {"name": "accountId", "value": "ACCOUNT_ID"},
           {"name": "serviceName", "value": "is"},
           {"name": "resourceType", "value": "backup-policy"}]}},
  "roles": [
      {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}],
  "resources": [
      {"attributes": [
           {"name": "accountId", "value": "ACCOUNT_ID"},
           {"name": "serviceName", "operator": "stringEquals", "value": "is"},
           {"name": "snapshotId", "operator": "stringEquals", "value": "*"}]}]
}
    • Snapshot consistency group:
      {
 "type": "authorization",
 "subject": {
     {"attributes": [
          {"name": "accountId", "value": "ACCOUNT_ID"},
          {"name": "serviceName", "value": "is"},
          {"name": "resourceType", "value": "backup-policy"}]}},
 "roles": [
     {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}],
 "resources": [
     {"attributes": [
          {"name": "accountId", "value": "ACCOUNT_ID"},
          {"name": "serviceName", "operator": "stringEquals", "value": "is"},
          {"name": "snapshotConsistencyGroupId", "operator": "stringEquals", "value": "*"}]}]
}
  2. Then, use the JSON files to run the following CLI command.
    ibmcloud iam authorization-policy-create --file ~/Documents/policy.json

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Creating authorization for file share backups at the account level

New

To create a service-to-service authorization policy for File Storage for VPC share backups, use the authorization-policy-create command.

ibmcloud iam authorization-policy-create is is ShareSnapshotOperator,Editor,Operator --source-resource-type backup-policy --target-resource-type share

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Creating cross-account authorization templates for backups managed by the Enterprise

Enterprise account admins can create and assign authorization policy templates to the child accounts to manage authorizations centrally. To create an authorization policy template that can be used to enable backup policies for all child accounts of the Enterprise, complete the following steps.

  1. To get the enterprise root account ID, you can run the following command.
ibmcloud enterprise show
  1. Create the JSON files that provide the definition of the authorization policy template. For more information about the attributes that you can use in your JSON file, see the IAM Policy Management API.

  • Instance service:

    {
 "name": "Centralized authorization for Backup service to work with Instances",
 "description": "Grant Operator Role for the Backup service to work with Instances",
 "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
 "policy":{
   "type": "authorization",
   "description": "Grant Operator on VPC Instances",
   "control":{
       "grant":{
         "roles":[
           {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]
         }},
   "subject":{
       "attributes":[
           {"key": "serviceName", "operator": "stringEquals", "value": "is"},
           {"key": "resourceType", "operator": "stringEquals", "value": "backup-policy"}
         ]},
   "resource":{
       "attributes":[
           {"key": "serviceName", "operator": "stringEquals", "value": "is"},
           {"key": "instanceId", "operator": "stringExists", "value": true}
         ]}}
}

    • Block Storage volume service:

      {
     "name": "Centralized authorization for Backup service to work with Block Storage service",
     "description": "Grant Operator Role for the Backup service to work with Block Storage volumes",
     "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
     "policy":{
       "type": "authorization",
       "description": "Grant Operator on Block Storage for VPC volumes",
       "control": {
           "grant": {
             "roles": [
               {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]
           }},
       "subject": {
         "attributes": [
           {"key": "serviceName", "value": "is"},
           {"key": "resourceType", "value": "backup-policy"}
           ]},
       "resource": {
         "attributes": [
            {"key": "serviceName", "operator": "stringEquals", "value": "is"},
            {"key": "volumeId", "operator": "stringExists", "value": "true"}
           ]}}
}

    • Block Storage snapshot service:

      {
     "name": "Centralized authorization for Backup service to work with Block Storage snapshots",
     "description": "Grant Editor Role for the Backup service to work with Block Storage snapshots",
     "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
     "policy": {
       "type": "authorization",
       "description": "Grant Editor on Block Storage for VPC snapshots",
       "control": {
           "grant": {
             "roles": [
               {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}]
           }},
       "subject": {
         "attributes": [
           {"key": "serviceName", "value": "is"},
           {"key": "resourceType", "value": "backup-policy"}
           ]},
       "resource": {
         "attributes": [
           {"key": "serviceName", "operator": "stringEquals", "value": "is"},
           {"key": "snapshotId", "operator": "stringExists", "value": "true"}
           ]}}
}

    • Snapshot consistency group:

     {
      "name": "Centralized authorization for Backup service to work with snapshot consistency groups",
      "description": "Grant Editor Role for the Backup service to work with snapshot consistency groups",
      "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
      "policy": {
        "type": "authorization",
        "description": "Grant Editor on snapshot consistency groups",
        "control": {
            "grant": {
              "roles": [
                {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}]
            }},
        "subject": {
          "attributes": [
            {"key": "serviceName", "value": "is"},
            {"key": "resourceType", "value": "backup-policy"}
            ]},
        "resource": {
          "attributes": [
            {"key": "serviceName", "operator": "stringEquals", "value": "is"},
            {"key": "snapshotConsistencyGroupId", "operator": "stringExists", "value": "true"}
            ]}}
 }
    • File shares: New
      {
       "name": "Centralized authorization for Backup service to work with File shares",
       "description": "Grant Editor Role for the Backup service to work with File shares",
       "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
       "policy": {
         "type": "authorization",
         "description": "Grant Editor, Operator, and Share Snapshot Operator roles on File shares",
         "control": {
             "grant": {
               "roles": [
                 {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"},{"role_id": "crn:v1:bluemix:public:iam::::role:ShareSnapshotOperator"},{"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]}
         },
         "subject": {
           "attributes": [
             {"key": "serviceName", "value": "is"},
             {"key": "resourceType", "value": "backup-policy"}]
         },
         "resource": {
           "attributes": [
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "shareId", "operator": "stringExists", "value": "true"}]
         }
       }
  }

  1. Run the authorization-policy-template-create command with the JSON file as shown in the following sample request:

    ibmcloud iam authorization-policy-template-create --file /path/to/vpc-share-authorization-template.json

  2. Repeat for all the JSON files. When you're done, the templates are ready to be committed and assigned to child accounts.

  3. Run the following commands to commit the template version and assign the template to the target accounts.

    ibmcloud iam authorization-policy-template-version-commit (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q, --quiet]

    ibmcloud iam authorization-policy-assignment-create (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION --target-type TYPE --target TARGET [-q, --quiet] [-o, --output FORMAT]

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-template-create.

Creating authorization for Event Notifications

To create a service-to-service authorization policy for Event Notifications, use the authorization-policy-create command.

ibmcloud iam authorization-policy-create is event-notification EventSourceManager --source-resource-type backup-policy --target-resource-instance $en-instance-ID

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Creating authorization policies with the API

Creating authorization for volume backups at the account level

To use Backup for VPC in your account to create policies, plans and run backup jobs for block storage volumes, create the following service-to-service authorizations:

  • is.backup-policy (source) to is.instance (target) with operator role.
  • is.backup-policy (source) to is.volume (target) with operator role.
  • is.backup-policy (source) to is.snapshot (target) with editor role.
  • is.backup-policy (source) to is.snapshot-consistency-group with editor role

Make the request to the IAM Policy Management API, similar to the following examples.

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
   "type": "access",
   "description": "Operator role for the Backup service to the Virtual Server service",
   "subjects": [
    {"attributes": [
       {"name": "serviceName", "value": "is"},
       {"name": "accountId", "value": "$ACCOUNT_ID"},
       {"name": "resourceType", "value": "backup-policy"}]
    }
   ],
  "roles":[
    {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}
   ],
   "resource":[
    {"attributes":[
      {"name": "accountId", "value": "$ACCOUNT_ID"},
      {"name": "serviceName", "operator": "stringEquals", "value": "is"},
      {"name": "instanceId", "operator": "stringEquals", "value": "*"}]
    }
  ]
}'

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
   "type": "access",
   "description": "Operator role for the Backup service to the Cloud Block Storage",
   "subjects":[
    {"attributes":[
      {"name": "serviceName", "value": "is"},
      {"name": "accountId", "value": "$ACCOUNT_ID"},
      {"name": "resourceType", "value": "backup-policy"}]
    }],
   "roles":[
    {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}
    ],
   "resource":[
    {"attributes": [
      {"name": "accountId", "value": "$ACCOUNT_ID"},
      {"name": "serviceName", "operator": "stringEquals", "value": "is.volume"},
      {"name": "volumeId", "operator": "stringEquals", "value": "*"}
     ]
    }
   ]
}'

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
   "type": "access",
   "description": "Editor role for the Backup service to Block Storage Snapshots",
   "subjects": [
    {"attributes": [
      {"name": "serviceName", "value": "is"},
      {"name": "accountId", "value": "$ACCOUNT_ID"},
      {"name": "resourceType", "value": "backup-policy"}]
    }
   ],
   "roles":[
    {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
   ],
   "resource":[
    {"attributes": [
      {"name": "accountId", "value": "$ACCOUNT_ID"},
      {"name": "serviceName", "operator": "stringEquals", "value": "is"},
      {"name": "snapshotId", "operator": "stringEquals", "value": "*"}]
    }
   ]
}'

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
   "type": "access",
   "description": "Editor role for the Backup service to the Snapshot consistency groups",
   "subjects": [
    {"attributes": [
       {"name": "serviceName", "value": "is"},
       {"name": "accountId", "value": "$ACCOUNT_ID"},
       {"name": "resourceType", "value": "backup-policy"}]
    }
   ],
  "roles":[
    {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
   ],
   "resource":[
    {"attributes":[
      {"name": "accountId", "value": "$ACCOUNT_ID"},
      {"name": "serviceName", "operator": "stringEquals", "value": "is"},
      {"name": "snapshotConsistencyGroupId", "operator": "stringEquals", "value": "*"}]
    }
  ]
}'

For more information, see the api spec for IAM Policy Management.

Creating cross-account authorization for volume backups managed by the Enterprise from the child account

To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.

  1. Make an API request to the Enterprise Management API to get the account ID of the parent enterprise account.

    curl -X GET "https://enterprise.cloud.ibm.com/v1/enterprises" 
-H "Authorization: Bearer <IAM_Token>" 
-H 'Content-Type: application/json'

  2. Then, make the requests to the IAM Policy Management API to create the service-to-service authorizations for the is.backup-policy of enterprise account to interact with the child account's is.backup, is.snapshot, is.volume, is.snapshot-consistency-group, and is.instance services.

    • Authorize is.backup-policy (source) to interact with is.backup-policy (target) with the editor role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 
'Authorization: Bearer $TOKEN' -H 
'Content-Type: application/json' -d 
'{
  "type": "access",
  "description": "Editor role for the Enterprise account's backup service to interact with this account's backup service.",
  "subjects": [
    {"attributes": [
       {"name": "serviceName", "value": "is"},
       {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"},
       {"name": "resourceType", "value": "backup-policy"}]
     }
   ],
  "roles":[
    {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
  ],
  "resource":[
    {"attributes":[
       {"name": "accountId", "value": "$SUB_ACCOUNT_ID", "operator": "stringEquals"},
       {"name": "serviceName", "operator": "stringEquals", "value": "is"},
       {"name": "backupPolicyId", "operator": "stringEquals", "value": "*"}]
    }
   ]
  }'
    • Authorize is.backup-policy (source) to interact with is.volume (target) with the operator role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 
'Authorization: Bearer $TOKEN' -H 
'Content-Type: application/json' -d 
'{
  "type": "access",
  "description": "Operator role for the Enterprise account's backup service to interact with this account's volume service",
  "subjects": [
    {
     "attributes": [
       {"name": "serviceName", "value": "is"},
       {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"},
       {"name": "resourceType", "value": "backup-policy"}]
     }
   ],
  "roles":[
    {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"}
   ],
  "resource":[
    {"attributes": [
       {"name": "accountId", "value": "$SUB_ACCOUNT_ID"},
       {"name": "serviceName", "operator": "stringEquals", "value": "is.volume"},
       {"name": "volumeId", "operator": "stringEquals", "value": "*"}]
    } 
   ]
}'
    • Authorize is.backup-policy (source) to interact with is.snapshot (target) with the editor role.
    curl -X POST 'https://iam.test.cloud.ibm.com/v1/policies' -H 
'Authorization: Bearer $TOKEN' -H 
'Content-Type: application/json' -d 
 '{
   "type": "access",
   "description": "Editor role for the Enterprise account's backup service to interact with this account's snapshots",
   "subjects":[
    {
     "attributes":[
       {"name": "serviceName", "value": "is"},
       {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"},
       {"name": "resourceType", "value": "backup-policy"}]
     }
    ],
   "roles":[
      {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
    ],
   "resource":[
      {"attributes": [
       {"name": "accountId", "value": "$SUB_ACCOUNT_ID"},
       {"name": "serviceName", "operator": "stringEquals", "value": "is"},
       {"name": "snapshotId", "operator": "stringEquals", "value": "*"}]
    }
   ]
 }'
    • Authorize is.backup-policy (source) to interact with is.instance (target) with the operator role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 
'Authorization: Bearer $TOKEN' -H 
'Content-Type: application/json' -d 
'{
  "type": "access",
  "description": "Operator role for the Enterprise account's backup service to interact with this account's virtual server instance service",
  "subjects": [
    {"attributes": [
       {"name": "serviceName", "value": "is"},
       {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"},
       {"name": "resourceType", "value": "backup-policy"}]
     }
   ],
  "roles":[
    {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"}
   ],
  "resource":[
    {"attributes": [
       {"name": "accountId", "value": "$SUB_ACCOUNT_ID"},
       {"name": "serviceName", "operator": "stringEquals", "value": "is.volume"},
       {"name": "instanceId", "operator": "stringEquals", "value": "*"}]
    }
   ]
}'

For more information, see the api spec for IAM Policy Management.

Creating authorization for file share backups

New

To use Backup for VPC in your account to create policies, plans and run backup jobs for file shares, make the following request to create the required service-to-service authorization.

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json'
-d '{
     "type": "access",
     "description": "IAM roles for the Backup service to Cloud File Storage",
     "subjects":[
      {"attributes":[
        {"name": "serviceName", "value": "is"},
        {"name": "accountId", "value": "$ACCOUNT_ID"},
        {"name": "resourceType", "value": "backup-policy"}]
       }],
     "roles":[
      {"role_id": "crn:v1:bluemix:public:iam::::role:ShareSnapshotOperator,Editor,Operator"}
     ],
     "resource":[
      {"attributes": [
        {"name": "accountId", "value": "$ACCOUNT_ID"},
        {"name": "serviceName", "operator": "stringEquals", "value": "is.share"},
        {"name": "shareId", "operator": "stringEquals", "value": "*"}]
      }
     ]
    }'

Creating cross-account authorization templates for backups managed by the Enterprise

Enterprise account admins can programmatically create and assign authorization policy templates to the child accounts to manage authorizations centrally. To create an authorization policy template that can be used to enable backup policies for all child accounts of the Enterprise, complete the following steps.

  1. Make an API request to the Enterprise Management API to get the account ID of the parent enterprise account.

    curl -X GET `https://enterprise.cloud.ibm.com/v1/enterprises`
-H "Authorization: Bearer <IAM_Token>" 
-H 'Content-Type: application/json'

  2. Then, make the requests to the IAM Policy Management API to create the service-to-service authorizations for the is.backup-policy of the Enterprise account to interact with the assigned child account's is.backup, is.snapshot, is.volume, is.snapshot-consistency-group, and is.instance services.

    • Authorize is.backup-policy (source) to interact with is.backup-policy (target) with the editor role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
   "name": "Centralized authorization for Backup service to work with Instances",
   "description": "Grant Operator Role for the Backup service to work with Instances",
   "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
   "policy":{
     "type": "authorization",
     "description": "Grant Operator on VPC Instances",
     "control":{
         "grant":{
           "roles":[
             {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]
           }},
     "subject":{
         "attributes":[
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "resourceType", "operator": "stringEquals", "value": "backup-policy"}
           ]},
     "resource":{
         "attributes":[
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "instanceId", "operator": "stringExists", "value": true}
           ]}}
  }
    • Authorize is.backup-policy (source) to interact with is.volume (target) with the operator role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
       "name": "Centralized authorization for Backup service to work with Block Storage service",
       "description": "Grant Operator Role for the Backup service to work with Block Storage volumes",
       "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
       "policy":{
         "type": "authorization",
         "description": "Grant Operator on Block Storage for VPC volumes",
         "control": {
             "grant": {
               "roles": [
                 {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]
             }},
         "subject": {
           "attributes": [
             {"key": "serviceName", "value": "is"},
             {"key": "resourceType", "value": "backup-policy"}
             ]},
         "resource": {
           "attributes": [
              {"key": "serviceName", "operator": "stringEquals", "value": "is"},
              {"key": "volumeId", "operator": "stringExists", "value": "true"}
             ]}}
  }'
    • Authorize is.backup-policy (source) to interact with is.snapshot (target) with the editor role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
       "name": "Centralized authorization for Backup service to work with Block Storage snapshots",
       "description": "Grant Editor Role for the Backup service to work with Block Storage snapshots",
       "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
       "policy": {
         "type": "authorization",
         "description": "Grant Editor on Block Storage for VPC snapshots",
         "control": {
             "grant": {
               "roles": [
                 {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}]
             }},
         "subject": {
           "attributes": [
             {"key": "serviceName", "value": "is"},
             {"key": "resourceType", "value": "backup-policy"}
             ]},
         "resource": {
           "attributes": [
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "snapshotId", "operator": "stringExists", "value": "true"}
             ]}}
  }'
    • Authorize is.backup-policy (source) to interact with is.instance (target) with the operator role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
   "name": "Centralized authorization for Backup service to work with Instances",
   "description": "Grant Operator Role for the Backup service to work with Instances",
   "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
   "policy":{
     "type": "authorization",
     "description": "Grant Operator on VPC Instances",
     "control":{
         "grant":{
           "roles":[
             {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]
           }},
     "subject":{
         "attributes":[
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "resourceType", "operator": "stringEquals", "value": "backup-policy"}
           ]},
     "resource":{
         "attributes":[
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "instanceId", "operator": "stringExists", "value": true}
           ]}}
  }`
    • Authorize is.backup-policy (source) to interact with is.snapshotConsistencyGroup (target) with the editor role.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
       "name": "Centralized authorization for Backup service to work with snapshot consistency groups",
       "description": "Grant Editor Role for the Backup service to work with snapshot consistency groups",
       "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
       "policy": {
         "type": "authorization",
         "description": "Grant Editor on snapshot consistency groups",
         "control": {
             "grant": {
               "roles": [
                 {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}]
             }},
         "subject": {
           "attributes": [
             {"key": "serviceName", "value": "is"},
             {"key": "resourceType", "value": "backup-policy"}
             ]},
         "resource": {
           "attributes": [
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "snapshotConsistencyGroupId", "operator": "stringExists", "value": "true"}
             ]}}
  }`
    • Authorize is.backup-policy (source) to interact with is.share (target) with the editor, operator, and share snapshot operator roles.
    curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' 
-H 'Authorization: Bearer $TOKEN' 
-H 'Content-Type: application/json' 
-d '{
       "name": "Centralized authorization for Backup service to work with File shares",
       "description": "Grant Editor Role for the Backup service to work with File shares",
       "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID",
       "policy": {
         "type": "authorization",
         "description": "Grant Editor, Operator, and Share Snapshot Operator roles on File shares",
         "control": {
             "grant": {
               "roles": [
                 {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"},
                 {"role_id": "crn:v1:bluemix:public:iam::::role:ShareSnapshotOperator"},
                 {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}]}
         },
         "subject": {
           "attributes": [
             {"key": "serviceName", "value": "is"},
             {"key": "resourceType", "value": "backup-policy"}]
         },
         "resource": {
           "attributes": [
             {"key": "serviceName", "operator": "stringEquals", "value": "is"},
             {"key": "shareId", "operator": "stringExists", "value": "true"}]
         }
       }
  }'

  3. After you created the authorization templates, you must commit and assign them to the accounts.

For more information, see the api spec for IAM Policy Management.

Creating authorization for Event Notifications

To create a service-to-service authorization policy for Event Notifications, make an API request to grantis.backup-policy (source) access to event-notification (target) with the EventSourceManager role.

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 
'Authorization: Bearer $TOKEN' -H 
'Content-Type: application/json' -d 
'{
  "type": "access",
  "description": "Event Source Manager role for the backup service to interact with the Event notification service",
  "subjects": [
       {"attributes": [
          {"name": "serviceName", "value": "is"},
          {"name": "resourceType", "value": "backup-policy"}]
        }
  ],
  "roles":[
       {"role_id" "crn:v1:bluemix:public:iam::::role:EventSourceManager"}
  ],
  "resource":[
       {"attributes": [
          {"name": "serviceName", "operator": "stringEquals", "value": "event-notification"},
          {"name": "instanceId", "operator": "stringEquals", "value": "<en-instance-ID>"}]
       }
  ]
}'

Creating authorization policies with Terraform

Creating authorization for volume backups at the account level

Create an authorization policy between services by using the ibm_iam_authorization_policy resource argument in your main.tf file.

resource "ibm_iam_authorization_policy" "policy1" {
  subject_attributes {
    name  = "accountId"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name  = "serviceName"
    value = "is"
  }
  subject_attributes {
    name  = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name  = "accountId"
    operator = "stringEquals"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name  = "serviceName"
    operator = "stringEquals"
    value = "is"
  }
  resource_attributes {
    name  = "volumeId"
    operator = "stringExists"
    value = "true"
  }
  roles   = ["Operator"]
}

resource "ibm_iam_authorization_policy" "policy2" {
  subject_attributes {
    name  = "accountId"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name  = "serviceName"
    value = "is"
  }
  subject_attributes {
    name  = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name  = "accountId"
    operator = "stringEquals"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name  = "serviceName"
    operator = "stringEquals"
    value = "is"
  }
  resource_attributes {
    name  = "snapshotId"
    operator = "stringExists"
    value = "true"
  }
  roles   = ["Editor"]
}

resource "ibm_iam_authorization_policy" "policy3" {
  subject_attributes {
    name  = "accountId"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name  = "serviceName"
    value = "is"
  }
  subject_attributes {
    name  = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name  = "accountId"
    operator = "stringEquals"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name  = "serviceName"
    operator = "stringEquals"
    value = "is"
  }
  resource_attributes {
    name  = "snapshotConsistencyGroupId"
    operator = "stringExists"
    value = "true"
  }
  roles   = ["Editor"]
}

resource "ibm_iam_authorization_policy" "policy4" {
  subject_attributes {
    name  = "accountId"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name  = "serviceName"
    value = "is"
  }
  subject_attributes {
    name  = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name  = "accountId"
    operator = "stringEquals"
    value = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name  = "serviceName"
    operator = "stringEquals"
    value = "is"
  }
  resource_attributes {
    name  = "instanceId"
    operator = "stringExists"
    value = "true"
  }
  roles   = ["Operator"]
}

For more information about the arguments and attributes, see the Terraform documentation for authorization resources.

Creating authorization for file share backups

New

Create an authorization policy between services by using the ibm_iam_authorization_policy resource argument in your main.tf file.

resource "ibm_iam_authorization_policy" "policy1" {
   source_service_name  = "is"
   source_resource_type = "backup-policy"
   target_service_name  = "is"
   target_resource_type = "share"
   roles                = ["ShareSnapshotOperator,Editor,Operator"]
}

For more information about the arguments and attributes, see the Terraform documentation for authorization resources.

Creating authorization for Event Notifications

To create a service-to-service authorization policy for Event Notifications, use the ibm_iam_authorization_policy resource argument in your main.tf file.

resource "ibm_iam_authorization_policy" "en-policy" {
   source_service_name         = "is"
   source_resource_type        = "backup-policy"
   source_resource_instance_id = ibm_backup-policy_instance.instance.guid
   target_service_name         = "event-notification"
   target_resource_instance_id = ibm_event-notification_instance.instance.guid
   roles                       = ["EventSourceManager"]
}

For more information about the arguments and attributes, see the Terraform documentation for authorization resources.

Next Steps

Create backup policies.