Managing access for flow logs
Access to IBM Cloud® Flow Logs service instances for users in your account is controlled by IBM Cloud® Identity and Access Management. Every user that accesses the Flow Logs service in your account must be assigned an access policy with an IAM role defined. The policy determines the actions that a user can take within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be run on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels. The following are some of the included options:
- Access across all instances of the service in your account
- Access to an individual service instance in your account
After you define the scope of the access policy, you assign a role, which determines the user's level of access. Review the following tables that outline the actions that each role allows within the Flow Logs service.
The following table details actions that are mapped to platform management roles. Platform management roles enable users to complete tasks on service resources at the platform level, for example, assign user access for the service and create or delete instances.
For more information about IAM roles, see Getting Started with IAM.
| Platform management role | Description of actions |
|---|---|
| Administrator | Read, operate, update, create, delete, and list flow log collectors |
| Editor | Read, operate, update, create, delete, and list flow log collectors |
| Operator | Operate and list flow log collectors |
| Viewer | Read flow log collectors |
For more information about assigning user roles in the console, see Managing access to resources.
Only one operator role is needed, as determined by the scope of your flow log collector.
In addition, you also require the following actions and operations that are not specific to IBM Cloud Flow Logs.
| Role | Description of actions |
|---|---|
| Writer on Object Storage bucket | Create flow log collector |
| Operator on Subnet | Create flow log collector with Subnet scope |
| Operator on VPC | Create flow log collector with VPC scope |
| Operator on virtual server instance | Create flow log collector with Instance or Interface scope |
Operator roles in the following table are required only if the target scope is being changed.
| Role | When needed |
|---|---|
| Writer on Object Storage bucket | (Change Object Storage bucket) |
| Operator on Subnet | (To Subnet scope) |
| Operator on VPC | (To VPC scope) |
| Operator on virtual server instance | (To Instance or Interface scope) |
Each aggregator creates a separate stream of data to Object Storage. Since you can create a flow log collector that associates data that is captured from multiple interface IDs with a single Object Storage bucket, each bucket needs a folder structure for holding data.