IAM Recipe for IBM Cloud Access & Migration Path from CF

What is IAM?

Identity & Access Management: new access control to provide both authentication and authorization within IBM Cloud to your users & resources more efficiently, services are moving to the IAM model

What is CF?

Cloud Foundry: previous organization model of orgs, spaces & roles for defining access within IBM Cloud

Best practices brainstorming prior to IAM setup:

  • Think about the project in your organization you wish to organize in the context of IAM.
  • Think about the platform and infrastructure resources(users & services) you will use for this project
  • Think about the region(s) you will deploy the environment/services
  • Think about the users who will need various levels of access to work on this project & their responsibilities
  • Think about DevOps architecture patterns, delivery & sample environments you will need such as: development, staging, testing, pre-production, production


Access & Resource Groups Made Simple!

Screen Shot 2018-05-30 at 7.24.20 PM  Resource groups: The Services you want a specific set of users(access group) to all have access to. You set up your access group, define a policy for it and all the users obtain access at once.

Screen Shot 2018-05-30 at 7.24.20 PM  Resource group A (contains COS & Analytics Engine). I will assign Access Group A (Brandy Guillory & Colette Goode) to these resources with (platform access: viewer & service access: reader) access policy.


Real world IAM recipe for a development environment:

Project:Building a Data Lake for Analytics Application utilizing  Watson Studio, Cloud Object Storage & Analytics Engine

Resources:  Services: Watson Studio (using CF) Cloud Object Storage (using IAM), Analytics Engine (using IAM), Kubernetes for scalability Users: Brandy Guillory , Colette Goode

Region(s): US South, Sydney

Responsibilities & Access Levels: Brandy Guillory & Colette Goode are the developers who will work on the project


We will assume the above resources have been added to the resource group “default” at provisioning time.

Screen Shot 2018-05-30 at 7.30.10 PM

Step 1: Create access group within IBM Cloud and add users to the access group as the account owner

Screen Shot 2018-05-30 at 7.33.15 PM

Step 2: Create Service ID identifiers for access to apps within and outside of IBM Cloud to avoid sharing & exposing credentials

Screen Shot 2018-05-30 at 7.34.14 PM

Step 3: Add your service ID identifiers to your access group, the access policy(Editor for the developers) & API key for calling our Kubernetes service via API after its provisioned

Screen Shot 2018-05-30 at 7.43.22 PM.png

Screen Shot 2018-05-30 at 7.44.41 PM

Step 4: Assign access within access group via access policies for the team

Screen Shot 2018-05-30 at 7.44.51 PM

Screen Shot 2018-05-30 at 7.44.58 PM

Hints & Tips:

*Also to set up IAM for and utilize IaaS resources both IaaS (Softlayer) and PaaS must be linked in IBM Cloud

*Your first resource group is created and named Default for you, if you have a Lite account is limited to one resource group

*Resource Groups allow for quickly assigning users to more than one resource at a time, and can be added within Manage>Account>Resource Groups

*Keep in mind that not all of the services within the IBM Cloud catalog can be managed through IAM, so in this case CF can be used for access through orgs and spaces.

*Services that are managed using IBM® Cloud Identity and Access Management (IAM) belong to a resource group instead of Cloud Foundry org or space. When you create a service instance for one of these services from the catalog, you are prompted to assign the instance to a resource group. Your resource group selection at the time of creating the instance is final and can’t be changed. Cloud Foundry services remain assigned to orgs and spaces and cannot be added to a resource group.


A few IAM adopted service instances:

Disclaimer:this is not the complete list & new services onboarded constantly

  • Analytics Engine
  • App ID
  • Cloud Object Storage(COS)
  • Watson Discovery
  • IBM Cloud Container Service
  • IBM Cloud Log Analysis Service
  • IBM Cloud Monitoring Service
  • IBM Key Protect
  • IBM Watson Knowledge Catalog
  • IBM Natural Language Understanding(NLU)
  • IBM Personality Insights
  • IBM Streaming Analytics
  • IBM Speech-to-text (STT)
  • IBM Text-to-Speech (TTS)
  • IBM Tone Analyzer
  • IBM Watson Assistant(formerly Watson Conversation)

Screen Shot 2018-05-30 at 7.49.12 PM

Migration Path from CF(Cloud Foundry) to IAM(Identity & Access Management):

Step 1. Required access

  • Developer role within CF space or Organization manager within CF org where instance currently resides
  • Viewer IAM role within resource group where instance will reside
  • Editor IAM role on service

Step 2: Dashboard notification then More actions>Migrate to a RG>Choose RG>Migrate


I hope this guide helps customers planning on setting up IAM within their organization.