为备份服务建立服务到服务授权
在创建备份策略之前,您需要建立服务对服务授权并指定 用户角色。 此授权可使 Backup for VPC 服务检测标记、创建备份快照并将其存储到 Object Storage 或源文件共享中。
概述
要使 IBM Cloud Backup for VPC 服务正常运行,您需要为该服务提供授权。 在授权中,源服务是被授予对目标服务的访问权的服务。 您选择的角色定义了源服务的访问级别。 目标服务是您根据分配的角色授予源服务访问许可权的服务。 源服务可以在创建授权的同一帐户中,也可以在另一个帐户中。 目标服务始终位于创建授权的帐户中。
要创建备份策略并使备份作业正确运行,需要授权备份服务使用 Block Storage for VPC,Snapshots for VPC 和 Virtual Server for VPC 服务。
如果您是企业账户管理员,想要为企业账户和子账户创建备份策略,您还需要获得企业账户中备份服务的授权,才能与子账户中的备份服务协同工作。
要为文件共享创建备份策略并正确运行备份任务,需要授权备份服务与 File Storage for VPC 一起工作。
有关授权的更多信息,请参阅 使用授权在服务之间授予访问权。
如果未正确设置服务权限,那么备份服务无法创建备份策略。 有关更多信息,请参阅故障诊断主题 由于权限不正确而未创建备份策略。
在控制台中创建授权策略
在账户级别创建卷备份授权
要创建服务到服务授权策略,请遵循以下过程:
-
在IBM Cloud控制台中,转到管理 > 访问 (IAM)。
-
从侧面板中,选择 授权。
-
在“管理授权”页面,单击“创建”。
-
在 源 部分中,选择 源帐户。 在帐户中设置“备份”服务的授权时,请选择 此帐户。 单击 下一步。
-
对于源服务,从列表中选择 VPC 基础架构服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 从列表中选择 资源类型。
- 在下一个字段中,选择 IBM Cloud Backup for VPC。
- 单击下一步。
-
对于目标服务,从列表中选择 VPC 基础架构服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 单击 资源类型。 从以下服务中选择一项。 您需要为所有这些用户创建授权。
服务对服务授权 源服务 - 资源类型 目标服务 - 资源类型 从属服务用户角色 IBM Cloud Backup for VPC Block Storage for VPC 运算符 IBM Cloud Backup for VPC Block Storage Snapshots for VPC 编辑者 IBM Cloud Backup for VPC VPC 的多卷快照 编辑者 IBM Cloud Backup for VPC Virtual Server for VPC 运算符 -
单击下一步。
-
选择角色。 请参见表中的相应角色。
-
单击 复审 并检查您的选择。
-
单击授权。
-
返回到“管理权限”页面时,请再次单击 创建,并遵循相同的步骤为其余服务设置权限。
在账户级别创建文件共享备份授权
要创建服务到服务授权策略,请遵循以下过程:
- 在IBM Cloud控制台中,转到管理 > 访问 (IAM)。
- 从侧面板中,选择 授权。
- 在“管理授权”页面,单击“创建”。
- 在 源 部分中,选择 源帐户。 在帐户中设置“备份”服务的授权时,请选择 此帐户。 单击 下一步。
- 对于源服务,从列表中选择 VPC 基础架构服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 从列表中选择 资源类型。
- 在下一个字段中,选择 IBM Cloud Backup for VPC。
- 单击下一步。
- 对于目标服务,从列表中选择 VPC 基础架构服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 单击 资源类型。 选择 File Storage for VPC.
- 单击下一步。
- 选择角色:编辑、分享快照操作员。
- 单击 复审 并检查您的选择。
- 单击授权。
从子账户为企业账户管理的备份创建跨账户授权
要允许企业管理员集中管理备份,子帐户必须为企业帐户的备份服务提供授权,以便与子帐户的资源进行交互。 子账户管理员可按照以下步骤在本地为其账户创建授权。
-
在IBM Cloud控制台中,转到管理 > 访问 (IAM)。
-
从侧面板中,选择 授权。
-
在“管理授权”页面,单击“创建”。
-
在 源 部分中,选择 源帐户。 在为企业帐户的备份服务设置授权时,请选择 特定帐户,然后输入企业帐户的标识。 单击 下一步。
-
对于源服务,从列表中选择 VPC 基础架构服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 从列表中选择 资源类型。
- 在下一个字段中,选择 IBM Cloud Backup for VPC。
- 单击下一步。
-
对于目标服务,从列表中选择 VPC 基础架构服务。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 单击 资源类型。 在表 2 中选择其中一个服务。
企业的服务对服务授权 源服务 - 资源类型 目标服务 - 资源类型 从属服务用户角色 IBM Cloud Backup for VPC Block Storage for VPC 运算符 IBM Cloud Backup for VPC Block Storage Snapshots for VPC 编辑者 IBM Cloud Backup for VPC VPC 的多卷快照 编辑者 IBM Cloud Backup for VPC Virtual Server for VPC 运算符 IBM Cloud Backup for VPC IBM Cloud Backup for VPC 编辑者 IBM Cloud Backup for VPC File Storage for VPC 编辑,分享快照操作员 -
单击下一步。
-
选择角色。 请参阅表 2 以获取相应的角色。
-
单击 复审 并检查您的选择。
-
单击授权。
-
返回到“管理权限”页面时,请再次单击 创建,并遵循相同的步骤为其余服务设置权限。
为企业管理的备份创建跨账户授权模板
通过使用 授权模板,企业账户管理员可以创建可分配给子账户的授权策略,并在分配的账户中实施授权,而无需单独登录子账户。
- 在 IBM Cloud 控制台中,转到管理 > 访问 (IAM) > 企业 > 模板。
- 选择授权,然后单击创建。
- 输入授权模板的名称和描述,说明其对企业用户的用途。
- 输入企业管理授权策略的描述,说明该策略对子账户用户的作用。
- 单击创建。
接下来,完成以下步骤以建立授权规则:
-
转到 授权 指定授权策略的详细信息。
-
选择源服务请求访问另一服务的账户。 选择指定账户。 以后将授权模板分配给子账户时,源账户会被填充为与子账户相同的账户,而子账户则持有被访问的资源。
-
然后,选择源服务和资源。
- 从列表中选择 VPC 基础设施服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 从列表中选择 资源类型。
- 在下一个字段中,选择 IBM Cloud Backup for VPC。
-
对于目标服务,从列表中选择 VPC 基础架构服务。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 从列表中选择 资源类型。 从下表中选择一项服务。 您需要为所有这些用户创建授权。
企业的服务对服务授权 源服务 - 资源类型 目标服务 - 资源类型 从属服务用户角色 IBM Cloud Backup for VPC Block Storage for VPC 运算符 IBM Cloud Backup for VPC Block Storage Snapshots for VPC 编辑者 IBM Cloud Backup for VPC VPC 的多卷快照 编辑者 IBM Cloud Backup for VPC Virtual Server for VPC 运算符 IBM Cloud Backup for VPC IBM Cloud Backup for VPC 编辑者 IBM Cloud Backup for VPC File Storage for VPC 编辑,分享快照操作员 -
单击下一步。
-
选择角色。 请参见表中的相应角色。
-
单击 复审 并检查您的选择。 然后,单击保存。
-
模板现在可以提交并分配给子账户了。 重复上述步骤,为所有服务创建授权模板。
为Event Notifications创建授权
要为Event Notifications 创建服务对服务授权策略,请按以下步骤操作:
- 在IBM Cloud控制台中,转到管理 > 访问 (IAM)。
- 从侧面板中,选择 授权。
- 在“管理授权”页面,单击“创建”。
- 在 源 部分中,选择 源帐户。 在帐户中设置“备份”服务的授权时,请选择 此帐户。 单击 下一步。
- 对于源服务,从列表中选择 VPC 基础架构服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击 选择属性,然后从列表中选择 资源类型。
- 在下一个字段中,选择 IBM Cloud Backup for VPC。
- 单击下一步。
- 选择 Event Notifications 作为目标服务。 单击下一步。
- 通过单击 特定资源来选择作用域。
- 单击选择属性。
- 单击 serviceInstance。
- 在下一个字段中,选择字符串等于。
- 在下一个字段中,选择要授权的 Event Notifications 服务实例。
- 选择 Event Source Manager 角色。
- 单击 复审 并检查您的选择。
- 单击授权。
从 CLI 创建授权策略
在账户级别创建卷备份授权
要在帐户中使用 Backup for VPC 来为块存储卷创建策略,规划和运行备份作业,请创建以下服务到服务授权:
backup-policy(源) 到具有 操作员 角色的instance(目标)backup-policy(源) 到具有 操作员 角色的volume(目标)backup-policy(源) 到具有 编辑者 角色的snapshot(目标)backup-policy(源) 到具有 编辑者 角色的snapshot-consistency-group(目标)
- 使用以下信息为授权策略创建四个 JSON 文件。
- 实例服务:
{ "type": "authorization", "subject": { {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "value": "is"}, {"name": "resourceType", "value": "backup-policy"}]}}, "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}], "resources": [ {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is"}, {"name": "instanceId", "operator": "stringEquals", "value": "*"}]}] } - Block Storage 批量服务:
{ "type": "authorization", "subject": { {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "value": "is"}, {"name": "resourceType", "value": "backup-policy"}]}}, "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}], "resources": [ {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is"}, {"name": "volumeId", "operator": "stringEquals", "value": "*"}]}] } - Block Storage 快照服务:
{ "type": "authorization", "subject": { {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "value": "is"}, {"name": "resourceType", "value": "backup-policy"}]}}, "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}], "resources": [ {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is"}, {"name": "snapshotId", "operator": "stringEquals", "value": "*"}]}] } - 快照一致性组:
{ "type": "authorization", "subject": { {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "value": "is"}, {"name": "resourceType", "value": "backup-policy"}]}}, "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}], "resources": [ {"attributes": [ {"name": "accountId", "value": "ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is"}, {"name": "snapshotConsistencyGroupId", "operator": "stringEquals", "value": "*"}]}] }
- 实例服务:
- 然后,使用 JSON 文件来运行以下 CLI 命令。
ibmcloud iam authorization-policy-create --file ~/Documents/policy.json
有关可用于此命令的所有参数的更多信息,请参阅 ibmcloud iam authorization-policy-create。
在账户级别创建文件共享备份授权
要为 File Storage for VPC 共享备份创建服务对服务授权策略,请使用 authorization-policy-create 命令。
ibmcloud iam authorization-policy-create is is "Share Snapshot Operator",Editor --source-resource-type backup-policy --target-resource-type share
有关可用于此命令的所有参数的更多信息,请参阅 ibmcloud iam authorization-policy-create。
为企业管理的备份创建跨账户授权模板
企业账户管理员可以为子账户 创建和分配授权策略模板,以便集中管理授权。 要创建一个授权策略模板,用于为企业的所有子账户启用备份策略,请完成以下步骤。
- 要获取企业根账户 ID,可以运行以下命令。
ibmcloud enterprise show
- 创建 JSON 文件,提供授权策略模板的定义。 有关 JSON 文件中可使用的属性的更多信息,请参阅 IAM Policy Management API。
-
实例服务:
{ "name": "Centralized authorization for Backup service to work with Instances", "description": "Grant Operator Role for the Backup service to work with Instances", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy":{ "type": "authorization", "description": "Grant Operator on VPC Instances", "control":{ "grant":{ "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}] }}, "subject":{ "attributes":[ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "resourceType", "operator": "stringEquals", "value": "backup-policy"} ]}, "resource":{ "attributes":[ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "instanceId", "operator": "stringExists", "value": true} ]}} }-
Block Storage 批量服务:
{ "name": "Centralized authorization for Backup service to work with Block Storage service", "description": "Grant Operator Role for the Backup service to work with Block Storage volumes", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy":{ "type": "authorization", "description": "Grant Operator on Block Storage for VPC volumes", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}] }}, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"} ]}, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "volumeId", "operator": "stringExists", "value": "true"} ]}} } -
Block Storage 快照服务:
{ "name": "Centralized authorization for Backup service to work with Block Storage snapshots", "description": "Grant Editor Role for the Backup service to work with Block Storage snapshots", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy": { "type": "authorization", "description": "Grant Editor on Block Storage for VPC snapshots", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}] }}, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"} ]}, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "snapshotId", "operator": "stringExists", "value": "true"} ]}} } -
快照一致性组:
{ "name": "Centralized authorization for Backup service to work with snapshot consistency groups", "description": "Grant Editor Role for the Backup service to work with snapshot consistency groups", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy": { "type": "authorization", "description": "Grant Editor on snapshot consistency groups", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}] }}, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"} ]}, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "snapshotConsistencyGroupId", "operator": "stringExists", "value": "true"} ]}} }- 文件共享:
{ "name": "Centralized authorization for Backup service to work with File shares", "description": "Grant Editor Role for the Backup service to work with File shares", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy": { "type": "authorization", "description": "Grant Editor, and Share Snapshot Operator roles on File shares", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"},{"role_id": "crn:v1:bluemix:public:iam::::role:ShareSnapshotOperator"}] }, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"}] }, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "shareId", "operator": "stringExists", "value": "true"}] } } } -
-
如以下请求示例所示,使用 JSON 文件运行
authorization-policy-template-create命令:ibmcloud iam authorization-policy-template-create --file /path/to/vpc-share-authorization-template.json -
对所有 JSON 文件重复上述步骤。 完成后,模板就可以提交并分配给子账户了。
-
运行以下命令提交模板版本并将模板分配给目标账户。
ibmcloud iam authorization-policy-template-version-commit (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION [-q, --quiet]ibmcloud iam authorization-policy-assignment-create (TEMPLATE_ID | TEMPLATE_NAME) TEMPLATE_VERSION --target-type TYPE --target TARGET [-q, --quiet] [-o, --output FORMAT]
有关此命令可用参数的更多信息,请参阅 ibmcloud iam authorization-policy-template-create。
为Event Notifications创建授权
要为Event Notifications 创建服务对服务授权策略,请使用 "authorization-policy-create 命令。
ibmcloud iam authorization-policy-create is event-notification EventSourceManager --source-resource-type backup-policy --target-resource-instance $en-instance-ID
有关可用于此命令的所有参数的更多信息,请参阅 ibmcloud iam authorization-policy-create。
使用 API 创建授权策略
在账户级别创建卷备份授权
要在帐户中使用 Backup for VPC 来为块存储卷创建策略,规划和运行备份作业,请创建以下服务到服务授权:
is.backup-policy(源) 到具有 操作员 角色的is.instance(目标)。is.backup-policy(源) 到具有 操作员 角色的is.volume(目标)。is.backup-policy(源) 到具有 editor 角色的is.snapshot(目标)。is.backup-policy(源) 到具有 editor 角色的is.snapshot-consistency-group
向 IAM 策略管理 API 发出请求,类似于以下示例。
curl -X POST 'https://iam.cloud.ibm.com/v1/policies'
-H 'Authorization: Bearer $TOKEN'
-H 'Content-Type: application/json'
-d '{
"type": "access",
"description": "Operator role for the Backup service to the Virtual Server service",
"subjects": [
{"attributes": [
{"name": "serviceName", "value": "is"},
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "resourceType", "value": "backup-policy"}]
}
],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}
],
"resources":[
{"attributes":[
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "serviceName", "operator": "stringEquals", "value": "is"},
{"name": "instanceId", "operator": "stringEquals", "value": "*"}]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"type": "access",
"description": "Operator role for the Backup service to the Cloud Block Storage",
"subjects":[
{"attributes":[
{"name": "serviceName", "value": "is"},
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "resourceType", "value": "backup-policy"}]
}],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}
],
"resources":[
{"attributes": [
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "serviceName", "operator": "stringEquals", "value": "is.volume"},
{"name": "volumeId", "operator": "stringEquals", "value": "*"}
]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"type": "access",
"description": "Editor role for the Backup service to Block Storage Snapshots",
"subjects": [
{"attributes": [
{"name": "serviceName", "value": "is"},
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "resourceType", "value": "backup-policy"}]
}
],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
],
"resources":[
{"attributes": [
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "serviceName", "operator": "stringEquals", "value": "is"},
{"name": "snapshotId", "operator": "stringEquals", "value": "*"}]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"type": "access",
"description": "Editor role for the Backup service to the Snapshot consistency groups",
"subjects": [
{"attributes": [
{"name": "serviceName", "value": "is"},
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "resourceType", "value": "backup-policy"}]
}
],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
],
"resources":[
{"attributes":[
{"name": "accountId", "value": "$ACCOUNT_ID"},
{"name": "serviceName", "operator": "stringEquals", "value": "is"},
{"name": "snapshotConsistencyGroupId", "operator": "stringEquals", "value": "*"}]
}
]
}'
有关更多信息,请参阅 IAM 策略管理 的 API 规范。
从子账户为企业管理的卷备份创建跨账户授权
要允许企业管理员集中管理备份,子帐户必须为企业帐户的备份服务提供授权,以便与子帐户的资源进行交互。
-
向 企业管理 API 发出 API 请求,以获取父企业帐户的帐户标识。
curl -X GET "https://enterprise.cloud.ibm.com/v1/enterprises" -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json' -
然后,向 IAM 策略管理 API 发出请求,为企业帐户的
is.backup-policy创建服务到服务授权,以与子帐户的is.backup,is.snapshot,is.volume,is.snapshot-consistency-group和is.instance服务进行交互。- 授权
is.backup-policy(源) 与具有 editor 角色的is.backup-policy(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Editor role for the Enterprise account's backup service to interact with this account's backup service.", "subjects": [ {"attributes": [ {"name": "serviceName", "value": "is"}, {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType", "value": "backup-policy"}] } ], "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"} ], "resources":[ {"attributes":[ {"name": "accountId", "value": "$SUB_ACCOUNT_ID", "operator": "stringEquals"}, {"name": "serviceName", "operator": "stringEquals", "value": "is"}, {"name": "backupPolicyId", "operator": "stringEquals", "value": "*"}] } ] }'- 授权
is.backup-policy(源) 与具有 操作员 角色的is.volume(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Operator role for the Enterprise account's backup service to interact with this account's volume service", "subjects": [ { "attributes": [ {"name": "serviceName", "value": "is"}, {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType", "value": "backup-policy"}] } ], "roles":[ {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"} ], "resources":[ {"attributes": [ {"name": "accountId", "value": "$SUB_ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is.volume"}, {"name": "volumeId", "operator": "stringEquals", "value": "*"}] } ] }'- 授权
is.backup-policy(源) 与具有 editor 角色的is.snapshot(目标) 进行交互。
curl -X POST 'https://iam.test.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Editor role for the Enterprise account's backup service to interact with this account's snapshots", "subjects":[ { "attributes":[ {"name": "serviceName", "value": "is"}, {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType", "value": "backup-policy"}] } ], "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"} ], "resources":[ {"attributes": [ {"name": "accountId", "value": "$SUB_ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is"}, {"name": "snapshotId", "operator": "stringEquals", "value": "*"}] } ] }'- 授权
is.backup-policy(源) 与具有 操作员 角色的is.instance(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Operator role for the Enterprise account's backup service to interact with this account's virtual server instance service", "subjects": [ {"attributes": [ {"name": "serviceName", "value": "is"}, {"name": "accountId", "value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType", "value": "backup-policy"}] } ], "roles":[ {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"} ], "resources":[ {"attributes": [ {"name": "accountId", "value": "$SUB_ACCOUNT_ID"}, {"name": "serviceName", "operator": "stringEquals", "value": "is.volume"}, {"name": "instanceId", "operator": "stringEquals", "value": "*"}] } ] }' - 授权
有关更多信息,请参阅 IAM 策略管理 的 API 规范。
为文件共享备份创建授权
要在账户中使用 Backup for VPC 为文件共享创建策略、计划和运行备份作业,请提出以下请求以创建所需的服务对服务授权。
curl -X POST 'https://iam.cloud.ibm.com/v2/policies'
-H 'Authorization: Bearer $TOKEN'
-H 'Content-Type: application/json'
-d '{
"type": "authorization",
"description": "IAM roles for the Backup service to Cloud File Storage",
"subject": {
"attributes": [
{"key": "serviceName","operator": "stringEquals","value": "is"},
{"key": "accountId","operator": "stringEquals","value": "a1234567"},
{"key": "resourceType","operator": "stringEquals","value": "backup-policy"}]
},
"control": {
"grant": {
"roles": [
{"role_id":"crn:v1:bluemix:public:is::::serviceRole:ShareSnapshotOperator"},
{"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}]}
},
"resource": {
"attributes": [
{"key": "accountId","operator": "stringEquals","value": "a1234567"},
{"key": "serviceName","operator": "stringEquals","value": "is"},
{"key": "shareId","operator": "stringExists","value": true}]
}
}'
为企业管理的备份创建跨账户授权模板
企业账户管理员可以通过编程方式为子账户 创建和分配授权策略模板,以便集中管理授权。 要创建一个授权策略模板,用于为企业的所有子账户启用备份策略,请完成以下步骤。
-
向 企业管理 API 发出 API 请求,以获取父企业帐户的帐户标识。
curl -X GET `https://enterprise.cloud.ibm.com/v1/enterprises` -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json' -
然后,向 IAM 策略管理 API 提出请求,为
is.backup-policy的企业账户创建服务对服务授权,以便与分配给子账户的is.backup,is.snapshot,is.volume,is.snapshot-consistency-group和is.instance服务进行交互。- 授权
is.backup-policy(源) 与具有 editor 角色的is.backup-policy(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "name": "Centralized authorization for Backup service to work with Instances", "description": "Grant Operator Role for the Backup service to work with Instances", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy":{ "type": "authorization", "description": "Grant Operator on VPC Instances", "control":{ "grant":{ "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}] }}, "subject":{ "attributes":[ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "resourceType", "operator": "stringEquals", "value": "backup-policy"} ]}, "resource":{ "attributes":[ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "instanceId", "operator": "stringExists", "value": true} ]}} }- 授权
is.backup-policy(源) 与具有 操作员 角色的is.volume(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "name": "Centralized authorization for Backup service to work with Block Storage service", "description": "Grant Operator Role for the Backup service to work with Block Storage volumes", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy":{ "type": "authorization", "description": "Grant Operator on Block Storage for VPC volumes", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}] }}, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"} ]}, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "volumeId", "operator": "stringExists", "value": "true"} ]}} }'- 授权
is.backup-policy(源) 与具有 editor 角色的is.snapshot(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "name": "Centralized authorization for Backup service to work with Block Storage snapshots", "description": "Grant Editor Role for the Backup service to work with Block Storage snapshots", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy": { "type": "authorization", "description": "Grant Editor on Block Storage for VPC snapshots", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}] }}, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"} ]}, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "snapshotId", "operator": "stringExists", "value": "true"} ]}} }'- 授权
is.backup-policy(源) 与具有 操作员 角色的is.instance(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "name": "Centralized authorization for Backup service to work with Instances", "description": "Grant Operator Role for the Backup service to work with Instances", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy":{ "type": "authorization", "description": "Grant Operator on VPC Instances", "control":{ "grant":{ "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}] }}, "subject":{ "attributes":[ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "resourceType", "operator": "stringEquals", "value": "backup-policy"} ]}, "resource":{ "attributes":[ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "instanceId", "operator": "stringExists", "value": true} ]}} }`- 授权
is.backup-policy(源) 与具有 editor 角色的is.snapshotConsistencyGroup(目标) 进行交互。
curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "name": "Centralized authorization for Backup service to work with snapshot consistency groups", "description": "Grant Editor Role for the Backup service to work with snapshot consistency groups", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy": { "type": "authorization", "description": "Grant Editor on snapshot consistency groups", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}] }}, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"} ]}, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "snapshotConsistencyGroupId", "operator": "stringExists", "value": "true"} ]}} }`- 授权
is.backup-policy(源)与is.share(目标)进行交互,并_共享快照操作员_角色。
curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "name": "Centralized authorization for Backup service to work with File shares", "description": "Grant Editor Role for the Backup service to work with File shares", "account_id": "ENTERPRISE_ROOT_ACCOUNT_ID", "policy": { "type": "authorization", "description": "Grant Editor, and Share Snapshot Operator roles on File shares", "control": { "grant": { "roles": [ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}, {"role_id": "crn:v1:bluemix:public:iam::::role:ShareSnapshotOperator"}]} }, "subject": { "attributes": [ {"key": "serviceName", "value": "is"}, {"key": "resourceType", "value": "backup-policy"}] }, "resource": { "attributes": [ {"key": "serviceName", "operator": "stringEquals", "value": "is"}, {"key": "shareId", "operator": "stringExists", "value": "true"}] } } }' - 授权
有关更多信息,请参阅 IAM 策略管理 的 API 规范。
为Event Notifications创建授权
要为 "Event Notifications创建服务对服务的授权策略,请发出 API 请求,授予 is.backup-policy(源)以 "EventSourceManager 角色访问 "event-notification(目标)的权限。
curl -X POST 'https://iam.cloud.ibm.com/v2/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type": "access",
"description": "Event Source Manager role for the backup service to interact with the Event notification service",
"subjects": [
{"attributes": [
{"name": "serviceName", "value": "is"},
{"name": "resourceType", "value": "backup-policy"}]
}
],
"roles":[
{"role_id" "crn:v1:bluemix:public:iam::::role:EventSourceManager"}
],
"resource":[
{"attributes": [
{"name": "serviceName", "operator": "stringEquals", "value": "event-notification"},
{"name": "instanceId", "operator": "stringEquals", "value": "<en-instance-ID>"}]
}
]
}'
使用 Terraform 创建授权策略
在账户级别创建卷备份授权
使用 main.tf 文件中的 ibm_iam_authorization_policy 资源参数在服务之间创建授权策略。
resource "ibm_iam_authorization_policy" "policy1" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "volumeId"
operator = "stringExists"
value = "true"
}
roles = ["Operator"]
}
resource "ibm_iam_authorization_policy" "policy2" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "snapshotId"
operator = "stringExists"
value = "true"
}
roles = ["Editor"]
}
resource "ibm_iam_authorization_policy" "policy3" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "snapshotConsistencyGroupId"
operator = "stringExists"
value = "true"
}
roles = ["Editor"]
}
resource "ibm_iam_authorization_policy" "policy4" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "instanceId"
operator = "stringExists"
value = "true"
}
roles = ["Operator"]
}
有关自变量和属性的更多信息,请参阅 授权资源的 Terraform 文档。
为文件共享备份创建授权
使用 main.tf 文件中的 ibm_iam_authorization_policy 资源参数在服务之间创建授权策略。
resource "ibm_iam_authorization_policy" "policy1" {
source_service_name = "is"
source_resource_type = "backup-policy"
target_service_name = "is"
target_resource_type = "share"
roles = ["ShareSnapshotOperator,Editor"]
}
有关自变量和属性的更多信息,请参阅 授权资源的 Terraform 文档。
为Event Notifications创建授权
要为 "Event Notifications创建服务对服务授权策略,请在 "main.tf 文件中使用 "ibm_iam_authorization_policy 资源参数。
resource "ibm_iam_authorization_policy" "en-policy" {
source_service_name = "is"
source_resource_type = "backup-policy"
source_resource_instance_id = ibm_backup-policy_instance.instance.guid
target_service_name = "event-notification"
target_resource_instance_id = ibm_event-notification_instance.instance.guid
roles = ["EventSourceManager"]
}
有关自变量和属性的更多信息,请参阅 授权资源的 Terraform 文档。