Managing access for virtual private endpoints

Virtual private endpoint gateways use IBM Cloud Identity and Access Management (IAM) platform access roles to manage access to the service's resources. IAM access roles allow account administrators to assign different levels of permission for calling the service's APIs and accessing the UI.

The following table provides example actions that you can take against the VPE service and its resources, depending on the user's assigned roles.

Platform-access roles

VPE supports Administrator, Editor, Operator, and Viewer platform-access roles. The following table describes IAM authorization actions for VPEs.

Table 1. IAM platform-access user role and actions
Role	Description of Actions	Example Actions
Administrator	All Operator actions, plus actions that modify the state of an endpoint gateway, such as create, delete, and update.	List all endpoint gateways. List a specific endpoint gateway and view its details. Create an endpoint gateway and bind a reserved IP to it.^[1] Update the name of an existing endpoint gateway. Delete an endpoint gateway and unbind its reserved IP address. Bind a reserved IP address to an endpoint gateway.^[2]
Editor	All Operator actions, plus actions that modify the state of an endpoint gateway, such as create, delete, and update.	List all endpoint gateways. List a specific endpoint gateway and view its details. Create an endpoint gateway and bind a reserved IP to it.^[3] Update the name of an existing endpoint gateway. Delete an endpoint gateway and unbind its reserved IP address. Bind a reserved IP address to an endpoint gateway.^[4]
Operator	All Viewer actions, plus the action to bind a reserved IP to an endpoint gateway.	List all endpoint gateways. List a specific endpoint gateway and view its details. Bind a reserved IP address to an endpoint gateway.^[5]
Viewer	Performs actions that don't change the state of the endpoint gateway.	List all endpoint gateways. List a specific endpoint gateway and view its details.

For more information about assigning user roles in the console, see Managing access to resources.

Viewing VPE resources in the Resource list

To view VPE resources in the IBM Cloud resource list, users need an IAM policy for the VPE service. VPE resource-type specific policies aren't sufficient.

A user must have Operator privileges for a reserved IP resource to bind a reserved IP when an endpoint gateway is created. To create an endpoint gateway without binding a reserved IP, a user requires only Administrator or Editor privileges. ↩︎
A user must have Operator privileges for a reserved IP resource to bind a reserved IP when an endpoint gateway is created. To create an endpoint gateway without binding a reserved IP, a user requires only Administrator or Editor privileges. ↩︎
A user must have Operator privileges for a reserved IP resource to bind a reserved IP when an endpoint gateway is created. To create an endpoint gateway without binding a reserved IP, a user requires only Administrator or Editor privileges. ↩︎
A user must have Operator privileges for a reserved IP resource to bind a reserved IP when an endpoint gateway is created. To create an endpoint gateway without binding a reserved IP, a user requires only Administrator or Editor privileges. ↩︎
A user must have Operator privileges for a reserved IP resource to bind a reserved IP when an endpoint gateway is created. To create an endpoint gateway without binding a reserved IP, a user requires only Administrator or Editor privileges. ↩︎