Establishing service-to-service authorizations for Block Storage for VPC
You can use the Cloud Identity and Access Management (IAM) to create or remove an authorization that grants one service access to another service. For Block Storage for VPC, you need to create service-to-service authorization for configuring customer-managed encryption, and backups.
Overview
In an authorization, the source service is the service that is granted access to the target service. The roles that you select define the level of access for the source service. The target service is the service that you are granting permission to be accessed by the source service based on the roles that you assign. Generally, a source service can be in the same account where the authorization is created or in another account. The target service is always in the account where the authorization is created.
To be able to create an encrypted volume with customer-managed CRKs, you need to establish service-to-service authorization between the Block service and the Key Management Service of your choice.
If you want to create backup snapshots of your Block Storage for VPC volumes, the Backup service needs to be authorized to work with Block Storage for VPC, Snapshots for VPC, and Virtual Server for VPC services. For more information, see Establishing service-to-service authorizations for the Backup service.
For more information about authorizations, see Using authorizations to grant access between services.
Creating service-to-service authorization for customer-managed encryption in the UI
You can access the Manage authorizations by clicking Manage > Access (IAM) > Authorizations.
- On the Manage authorizations page, click Create.
- On the Grant a service authorization page, select the source account.
- For the source service, select Cloud Block Storage from the list.
- For the target service, select Hyper Protect Crypto Services or KeyProtect from the list.
- Check the box to enable authorization to be delegated by source and dependent services.
- Then, under Service access, select the role
Reader
. - Click Authorize.
Creating service-to-service authorization for customer-managed encryption from the CLI
Run the ibmcloud iam authorization-policy-create
command to create authorization policies for the Block service to interact with one or both Key Management Services (Key Protect or Hyper Protect Crypto Services). The source service
is server-protect
and the target service is either kms
or hs-crypto
. The role that you need to assign is Reader
. The following example creates an authorization policy between the Block service
and Key Protect.
$ ibmcloud iam authorization-policy-create server-protect kms Reader
Creating authorization policy under account a1234567 as test.user@ibm.com...
OK
To list the service authorizatons that are already in place for the account, run the ibmcloud iam authorization-policies
command. The following example shows that the Block service could be encrypted with a CRK that is stored in
Key Protect or Hyper Protect Crypto Services.
$ ibmcloud iam authorization-policies
Getting authorization policies under account a1234567 as test.user@ibm.com...
OK
ID: 1f722de4-c3e6-4765-b0d3-482ec77a04f8
Source service name: server-protect
Source service instance: All instances
Target service name: kms
Target service instance: 51042d7f-f0df-4915-bd39-6a49957c9175
Roles: Reader
ID: 605cb9b9-ba0d-456b-8c22-180abee66c47
Source service name: server-protect
Source service instance: All instances
Target service name: hs-crypto
Target service instance: All instances
Roles: Reader
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating service-to-service authorization for customer-managed encryption with the API
Make a request to the IAM Policy Management API to create the service-to-service authorization for the source volume's Block service to interact with a Key Management Service instance (Key Protect or Hyper Protect Crypto Services).
-
The following example shows how you can authorize the Block service
is.server-protect
(source) to interact with the Key Protect servicekms
(target) with the Reader role.curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type": "access", "description": "Reader role for the Block service to interact with the KeyProtect service.", "subjects": [{"attributes": [{"name": "serviceName","value": "server-protect"}]}], "roles":[{"role_id": "crn:v1:bluemix:public:iam::::role:Reader"}], "resources":[{"attributes": [{"name": "serviceName","value": "kms"}]}] }'
-
To create an authorization policy for Hyper Protect Crypto Services, replace
kms
withhs-crypto
in the previous example.
Creating service-to-service authorization for customer-managed encryption with Terraform
Create an authorization policy between the Block service and the key management services by using the ibm_iam_authorization_policy
resource argument in your main.tf
file.
The following example creates an authorization policy between the Block service and Key Protect when applied.
resource "ibm_iam_authorization_policy" "mypolicy4keyprotect" {
source_service_name = "is"
source_resource_type = "server-protect"
target_service_name = "kms"
roles = ["Reader"]
}
The following example creates an authorization policy between the Block service and Hyper Protect Crypto Services when applied.
resource "ibm_iam_authorization_policy" "mypolicy4HPCS" {
source_service_name = "is"
source_resource_type = "server-protect"
target_service_name = "hs-crypto"
roles = ["Reader"]
}
For more information about the arguments and attributes, see the Terraform documentation for authorization resources.