Establishing service-to-service authorizations for the Backup service
Before you can create backup policies, you need to establish service-to-service authorizations and specify user roles. This authorization enables the Backup for VPC service to detect volume tags, create backup snapshots and store them in Object Storage.
Overview
For IBM Cloud Backup for VPC service to work, you need to provide an authorization for the service. In an authorization, the source service is the service that is granted access to the target service. The roles that you select define the level of access for the source service. The target service is the service that you are granting permission to be accessed by the source service based on the roles that you assign. A source service can be in the same account where the authorization is created or in another account. The target service is always in the account where the authorization is created.
To create a backup policy and for the backup jobs to run correctly, the Backup service needs to be authorized to work with Block Storage for VPC, Snapshots for VPC, and Virtual Server for VPC services.
If you are an Enterprise account administrator who wants to create a backup policy for your enterprise account and subaccounts, you also need to have authorization for the Backup for VPC service in the enterprise account to work with the Backup for VPC service in the subaccounts.
For more information about authorizations, see Using authorizations to grant access between services.
If you set up service authorizations incorrectly, the backup service cannot create the backup policies. For more information, see the troubleshooting topic Backup policy not created due to incorrect authorizations.
Creating authorization policies in the UI
Enabling service-to-service authorization at the account level
To create a service-to-service authorization policy, follow this procedure:
-
In the IBM Cloud console, go to Manage > Access (IAM). The Manage access and users page is displayed.
-
From the side panel, select Authorizations.
-
On the Manage authorizations page, click Create.
-
On the Grant a service authorization page, select the source account. As you're setting up authorization for the Backup service in your account, select This account.
-
For the source service, select VPC Infrastructure Services from the list.
-
Select the scope. Choose Resources based on selected attributes.
-
Click Resource type. From the list, select IBM Cloud Backup for VPC.
-
For the target service, select VPC Infrastructure Services from the list.
-
Select the scope. Choose Resources based on selected attributes.
-
Click Resource type. Select one of the following services. You need to create authorization for all of them.
Table 1. Service-to-service authorizations Source service - resource type Target service - resource type Dependent service user role IBM Cloud Backup for VPC Block Storage for VPC Operator IBM Cloud Backup for VPC Block Storage Snapshots for VPC Editor IBM Cloud Backup for VPC Multi-Volume Snapshots for VPC Editor IBM Cloud Backup for VPC Virtual Server for VPC Operator -
Then, under Platform access, select the role. See Table 1 for the appropriate role.
-
Click Authorize.
-
When you are returned to the Manage authorizations page, click Create again and follow the same steps to set up authorizations for the remaining services.
Creating cross-account authorization for the Enterprise
To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.
| Source service - resource type | Target service - resource type | Dependent service user role |
|---|---|---|
| IBM Cloud Backup for VPC | Block Storage for VPC | Operator |
| IBM Cloud Backup for VPC | Block Storage Snapshots for VPC | Editor |
| IBM Cloud Backup for VPC | Multi-Volume Snapshots for VPC | Editor |
| IBM Cloud Backup for VPC | Virtual Server for VPC | Operator |
| IBM Cloud Backup for VPC | IBM Cloud Backup for VPC | Editor |
- On the Manage authorizations page, click Create.
- On the Grant a service authorization page, select the source account. As you're setting up authorization for the Backup service of the enterprise account, select Other account, and enter the Enterprise account's ID.
- For the source service, select VPC Infrastructure Services from the list.
- Select the scope. Choose Resources based on selected attributes.
- Click Resource type. From the list, select IBM Cloud Backup for VPC.
- For the target service, select VPC Infrastructure Services from the list.
- Select the scope. Choose Resources based on selected attributes.
- Click Resource type. From the list, select IBM Cloud Backup for VPC.
- Then, under Platform access, select the Editor role.
- Click Authorize.
- When you are returned to the Manage authorizations page, click Create again and create authorizations for the remaining services.
Creating authorization policies from the CLI
Enabling service-to-service authorization at the account level
To use Backup for VPC in your account to create policies, plans and run backup jobs, create the following service-to-service authorizations:
backup-policy(source) toinstance(target) with Operator rolebackup-policy(source) tovolume(target) with Operator rolebackup-policy(source) tosnapshot(target) with Editor rolebackup-policy(source) tosnapshot-consistency-group(target) with Editor role
- Create four JSON files with the following information for the authorization policies.
- Instance service:
{ "type": "authorization", "subjects": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "is" }, { "name": "resourceType", "value": "backup-policy" } ] } ], "roles": [ { "role_id": "crn:v1:bluemix:public:iam::::role:Operator" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "operator": "stringEquals", "value": "is" }, { "name": "instanceId", "value": "*", "operator": "stringEquals" } ] } ] } - Block Storage volume service:
{ "type": "authorization", "subjects": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "is" }, { "name": "resourceType", "value": "backup-policy" } ] } ], "roles": [ { "role_id": "crn:v1:bluemix:public:iam::::role:Operator" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "operator": "stringEquals", "value": "is" }, { "name": "volumeId", "value": "*", "operator": "stringEquals" } ] } ] } - Block Storage snapshot service:
{ "type": "authorization", "subjects": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "is" }, { "name": "resourceType", "value": "backup-policy" } ] } ], "roles": [ { "role_id": "crn:v1:bluemix:public:iam::::role:Editor" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "operator": "stringEquals", "value": "is" }, { "name": "snapshotId", "value": "*", "operator": "stringEquals" } ] } ] } - Snapshot consistency group:
{ "type": "authorization", "subjects": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "is" }, { "name": "resourceType", "value": "backup-policy" } ] } ], "roles": [ { "role_id": "crn:v1:bluemix:public:iam::::role:Editor" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "operator": "stringEquals", "value": "is" }, { "name": "snapshotConsistencyGroupId", "value": "*", "operator": "stringEquals" } ] } ] } - Instance service:
- Then, use the JSON files to run the following CLI command.
ibmcloud iam authorization-policy-create --file ~/Documents/policy.json
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating cross-account authorization for the Enterprise
To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.
Run the ibmcloud iam authorization-policy-create command with one of the following options: --source-service-account, --source-service-instance-name, or --source-service-instance-id to identify
the enterprise account as the source. To get the enterprise account ID, you can run the following command.
ibmcloud enterprise show
Then, use the account ID to authorize the Enterprise account's backup service instance to interact with the child account's backup, snapshot, volume, and instance services.
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type backup-policy --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type snapshot --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type volume --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type snapshot-consistency-group --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type instance --source-service-account ACCOUNT_ID
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating authorization policies with the API
Enabling service-to-service authorization at the account level
To use Backup for VPC in your account to create policies, plans and run backup jobs, create the following service-to-service authorizations:
is.backup-policy(source) tois.instance(target) with operator role.is.backup-policy(source) tois.volume(target) with operator role.is.backup-policy(source) tois.snapshot(target) with editor role.is.backup-policy(source) tois.snapshot-consistency-groupwith editor role
Make the request to the IAM Policy Management API, similar to the following examples.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type": "access",
"description": "Operator role for the Backup service to the Virtual Server service",
"subjects": [
{"attributes": [
{"name": "serviceName","value": "is"},
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "resourceType","value": "backup-policy"}]
}
],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}
],
"resources":[
{"attributes":[
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "serviceName","value": "is","operator": "stringEquals"},
{"name": "instanceId","value": "*","operator": "stringEquals"}]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type": "access",
"description": "Operator role for the Backup service to the Cloud Block Storage",
"subjects":[
{"attributes":[
{"name": "serviceName","value": "is"},
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "resourceType","value": "backup-policy"}]
}],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Operator"}
],
"resources":[
{"attributes": [
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "serviceName","value": "is.volume","operator": "stringEquals"},
{"name": "volumeId","value": "*","operator": "stringEquals"}
]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type": "access",
"description": "Editor role for the Backup service to Block Storage Snapshots",
"subjects": [
{"attributes": [
{"name": "serviceName","value": "is"},
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "resourceType","value": "backup-policy"}]
}
],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
],
"resources":[
{"attributes": [
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "serviceName","value": "is","operator": "stringEquals"},
{"name": "snapshotId","value": "*","operator": "stringEquals"}]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type": "access",
"description": "Editor role for the Backup service to the Snapshot consistency groups",
"subjects": [
{"attributes": [
{"name": "serviceName","value": "is"},
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "resourceType","value": "backup-policy"}]
}
],
"roles":[
{"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}
],
"resources":[
{"attributes":[
{"name": "accountId","value": "$ACCOUNT_ID"},
{"name": "serviceName","value": "is","operator": "stringEquals"},
{"name": "snapshotConsistencyGroupId","value": "*","operator": "stringEquals"}]
}
]
}'
For more information, see the api spec for IAM Policy Management.
Creating cross-account authorization for the Enterprise
To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.
-
Make an API request to the Enterprise Management API to get the account ID of the parent enterprise account.
curl -X GET "https://enterprise.cloud.ibm.com/v1/enterprises" -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json' -
Then, make the requests to the IAM Policy Management API to create the service-to-service authorizations for the
is.backup-policyof enterprise account to interact with the child account'sis.backup,is.snapshot,is.volume,is.snapshot-consistency-group, andis.instanceservices.- Authorize
is.backup-policy(source) to interact withis.backup-policy(target) with the editor role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Editor role for the Enterprise account's backup service to interact with this account's backup service.", "subjects": [ {"attributes": [ {"name": "serviceName","value": "is"}, {"name": "accountId","value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType","value": "backup-policy"}] } ], "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"} ], "resources":[ {"attributes":[ {"name": "accountId","value": "$SUB_ACCOUNT_ID","operator": "stringEquals"}, {"name": "serviceName","value": "is","operator": "stringEquals"}, {"name": "backupPolicyId","value": "*","operator": "stringEquals"}] } ] }'- Authorize
is.backup-policy(source) to interact withis.volume(target) with the operator role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Operator role for the Enterprise account's backup service to interact with this account's volume service", "subjects": [ { "attributes": [ {"name": "serviceName","value": "is"}, {"name": "accountId","value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType","value": "backup-policy"}] } ], "roles":[ {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"} ], "resources":[ {"attributes": [ {"name": "accountId","value": "$SUB_ACCOUNT_ID"}, {"name": "serviceName","value": "is.volume","operator": "stringEquals"}, {"name": "volumeId","value": "*","operator": "stringEquals"}] } ] }'- Authorize
is.backup-policy(source) to interact withis.snapshot(target) with the editor role.
curl -X POST 'https://iam.test.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Editor role for the Enterprise account's backup service to interact with this account's snapshots", "subjects":[ { "attributes":[ {"name": "serviceName","value": "is"}, {"name": "accountId","value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType","value": "backup-policy"}] } ], "roles":[ {"role_id": "crn:v1:bluemix:public:iam::::role:Editor"} ], "resources":[ {"attributes": [ {"name": "accountId","value": "$SUB_ACCOUNT_ID"}, {"name": "serviceName","value": "is","operator": "stringEquals"}, {"name": "snapshotId","value": "*","operator": "stringEquals"}] } ] }'- Authorize
is.backup-policy(source) to interact withis.instance(target) with the operator role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Operator role for the Enterprise account's backup service to interact with this account's virtual server instance service", "subjects": [ {"attributes": [ {"name": "serviceName","value": "is"}, {"name": "accountId","value": "$ENTERPRISE_ACCOUNT_ID"}, {"name": "resourceType","value": "backup-policy"}] } ], "roles":[ {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"} ], "resources":[ {"attributes": [ {"name": "accountId","value": "$SUB_ACCOUNT_ID"}, {"name": "serviceName","value": "is.volume","operator": "stringEquals"}, {"name": "instanceId","value": "*","operator": "stringEquals"}] } ] }' - Authorize
For more information, see the api spec for IAM Policy Management.
Creating authorization policies with Terraform
Enabling service-to-service authorization at the account level
Create an authorization policy between services by using the ibm_iam_authorization_policy resource argument in your main.tf file.
resource "ibm_iam_authorization_policy" "policy1" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "volumeId"
operator = "stringExists"
value = "true"
}
roles = ["Operator"]
}
resource "ibm_iam_authorization_policy" "policy2" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "snapshotId"
operator = "stringExists"
value = "true"
}
roles = ["Editor"]
}
resource "ibm_iam_authorization_policy" "policy3" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "snapshotConsistencyGroupId"
operator = "stringExists"
value = "true"
}
roles = ["Editor"]
}
resource "ibm_iam_authorization_policy" "policy4" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "instanceId"
operator = "stringExists"
value = "true"
}
roles = ["Operator"]
}
For more information about the arguments and attributes, see the Terraform documentation for authorization resources.