Terraform, IBM Cloud App ID and IAM rules for simple, quick and secure project onboarding.

If you are like me, you sometimes run short-lived projects like workshops or hackathons. For these types of projects, you usually need to bring many people into an account at once and clean everything up after a few days. You typically have different roles, different privileges and different requirements. And you don’t have much time. Now, what to do? 

The obvious answer, of course, is to automate. Moreover, utilize the right cloud security concepts that allow quick and easy onboarding and offboarding while providing the needed level of security. 

In this post and a follow-up blog post, I am going to discuss and share the necessary code to easily and securely onboard participants to an IBM Cloud account. It includes Terraform code to set up an IBM Cloud App ID instance and create and configure either an IAM (Identity and Access Management) access group and/or Trusted Profile. I will also share a Python script to add a group of users with custom attributes all at once to the App ID Cloud Directory (bulk creation).


Short-lived projects like hackathons or workshops often have the following characteristics:

  • Similar privileges for everyone on the project
  • Only a few IAM (Identity and Access Management) roles like administrator or participant
  • A preference for simple administration (setup, running it, clean up) over the tightest security
  • Bulk onboarding and offboarding/cleanup

Additionally, over time, such projects are repeated with a similar setup, but different participants. So, how do you onboard them efficiently?

IBM Cloud Identity and Access Management (IAM) supports identification of users through different identities and identity providers, including the following:

  • IBMid, an account for many IBM services, including IBM Cloud
  • App ID user ID, a user managed within an instance of the IBM Cloud App ID service

The latter can be used as external Identity Provider (IdP) for IBM Cloud IAM. Thereby, users managed in App ID can authenticate against App ID and then log into IBM Cloud. Using the IAM concepts of Access Groups with dynamic rules or Trusted Profiles with conditions based on IdP data, App ID users can be assigned to access policies and their privileges set. 

The IBM Cloud document Best practices for organizing resources and assigning access has a comparison of access groups and trusted profiles. The main difference for our scenario is that when using an access group, users access the shared cloud account with their identity, whereas by utilizing a trusted profile, the profile itself (a single identity) would be used. Moreover, only individual users can easily work with the command line (CLI).

The setup is similar and we provide the code for both. In the following, we only discuss the setup based on access groups.

App ID for user management

The IBM Cloud App ID service provides easy user management and authentication to apps. It can serve as a wrapper around third-party identity services like Google and Facebook. App ID also has its own user management called Cloud Directory. For all users, regardless of their origin, App ID can maintain a profile. The profile can have attributes from their identity provider (like Cloud Directory, Facebook, etc.) and app-related attributes. It is possible to even pre-register profiles for future users with custom attributes.

For the onboarding and to assign privileges, we make use of these attributes. For a workshop, we could create and attach roles like admin(istrator), student or both to each user. These attributes could then later serve as conditions in the access group rules or for the trusted profiles:

Custom attributes for a user in the App ID Cloud Directory.

As mentioned earlier, we want to use Terraform to create and configure an App ID instance. There are few resources to be deployed:

With the above Terraform resources in place, they can be deployed. See the README in the cloud-project-onboarding-terraform repository for details on which commands to use.

Identity provider

Once, the App ID instance is available, the next step is to create an identity provider in the IBM Cloud IAM settings. It is a manual step in the IBM Cloud console. The screenshot shows the dialog to be completed. You need to provide a name, select the App ID instance and enable it for account login. If this is the only IdP, you can set it as the default:

Create an identity provider in the IBM Cloud IAM settings.

Thereafter, you can also change the IdP URL to use an alias instead of your account ID. In the screenshot below, I changed the URL to use “workshop_hackathon” as alias. Later on, that URL needs to be used by your onboarded users to log in to IBM Cloud.

From the same page, remember the realm ID for the newly created IdP. It is necessary to set up the dynamic rule in the access group:

Change the default IdP URL to use an alias instead of the account ID.

Access group with dynamic rules

Creating an IAM access group with a dynamic rule and access policies can be done in Terraform again. The sample code includes the resource definition for the access group itself. Then, a single policy allows read-only access for the targeted users to the workshop-related resource group. Most importantly, a rule that uses the IdP realm ID from above and a claim based on the App ID custom attributes.

Once deployed following the usage instructions, we can visit the access group and its dynamic rule in the IBM Cloud console. The condition checks that the “workshop_roles” contains “student”:

Dynamic rule of an IAM access group matching with a condition on custom attributes.


All that’s left is to add users to App ID. You can do this manually and also configure the custom attributes. Then, use your IdP URL (https://cloud.ibm.com/authorize/accountID-or-alias or https://cloud.ibm.com/authorize/accountID-or-alias/realmID) to login. In the follow-up post, “Bulk Creation of Users in IBM Cloud App ID,” we discuss how to perform a bulk upload of user records to App ID and how to maintain and reuse the IdP and App ID instance for additional workshops.

Visit the public GitHub repository for the sample code and additional information.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn


More from Cloud

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…