A Python script for insights into IAM Access Groups and Policies.

I am the owner of an IBM Cloud account with multiple users. To organize teamwork, I followed best practices for organizing users, teams, applications and made use of the IBM Cloud IAM (Identity and Access Management) capabilities. 

With users, service IDs, access groups, and access policies in place, I wondered how to get insights into per-user privileges and the scope of service ID permissions. Sure, I could use the IBM Cloud console (UI) or the Command Line Interface (CLI), but why not test the API (Application Programming Interface) for some customized reporting?

In this blog, I am going to quickly introduce the needed IAM concepts, then take a look at the IBM Cloud REST API. Thereafter, I discuss the Python script, how to use it, and how to customize the code for your needs. The script is available on GitHub.

Sample policy showing Administrator role on a service ID as resource.

IAM access groups and policies

As the name implies, IBM Cloud IAM (Identity and Access Management) is the core component of IBM Cloud to handle identities and manage their access to resources. Identities include regular users as well as service IDs, which can be used by applications, tool(chain)s, and more.

To grant access to a resource, an administrator can create a policy for a user or service ID and assign roles on that type of service and its instances. These policies are called authorizations. Roles are a set of service-specific privileges (security attributes). To simplify administration and easily grant the same privileges to users and service IDs, access groups can be used to bundle the authorizations. Thus, an access group combines users, service IDs, and access policies. Users can be part of several access groups.

As a consequence, an identity can have many associated policies—assigned directly (authorizations) or through access groups of which the identity is member.

IBM Cloud APIs

IBM Cloud offers APIs for its platform and services. The documentation portal has the API & SDK reference library. There, in the Platform category, you find the IAM Identity Services, IAM Policy Management, and the IAM Access Groups APIs. They can be utilized to do the following:

  • Turn an IAM API key into an IAM authentication token (Identity).
  • Retrieve information about the account associated with the API key (Identity).
  • Obtain the list of access groups for the account or identity (Access Groups).
  • Return details on all the policies identified by attributes like the related access group or assigned identity (Policy Management).

Policies within an IAM Access Group with Viewer, Administrator, and Editor roles on different resources.

Retrieve access privileges

The Python script for the policy report makes use of the above mentioned APIs and implements exactly those four steps. It can be used to retrieve the policies for the entire account or only a specified identity (i.e., user or service ID).

After reading in the API key, it turns it into an IAM bearer token and retrieves the associated account_id, then first fetches the access groups related to the identity or the entire account. For each group, it fetches and prints the policies. Thereafter, all policies directly related to the identity are retrieved and printed. All that is needed is an API key and (optionally) the IAM ID of the user or service ID. The GitHub repository has instructions on how to create the API key and obtain the IAM IDs for users and service IDs.


The script prints policy information as plain text. But the JSON source could be easily integrated into other tools, turned into a graph (using Graphviz), or combined further with information about services and their instances. The first step is done by turning an API key into a list of access policies.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn


More from Cloud

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…