April 3, 2019 | Written by: Bo Yang
Categorized: DevOps | How-tos | What's New
Share this post:
You can now manage IBM Cloud resources with a service ID
We are excited to announce that you can now log into IBM Cloud with a service ID in v0.15.0 of the IBM Cloud CLI. This enables users to manage IBM Cloud resources with a service ID created within an account through the command line interface.
What is a service ID?
A service ID identifies a service or application similarly to how a user ID identifies a user. You can assign specific access policies to the service ID that restrict permissions for accessing IBM Cloud resources. Since service IDs are not tied to a specific user, if a user happens to leave an organization and is removed from the account, the service ID remains intact, ensuring that your application or service stays up and running. Please refer to the IBM Cloud docs page for more information on service IDs.
An example of when you could log into IBM Cloud with a service ID is CI/CD automation. You don’t need to create function user IDs or use real user IDs for your CI/CD automation because it will have problems managing these user IDs and the permissions. Instead, you can create service IDs within your account and grant proper permissions just required by your automation script.
How do I use this feature?
There are a few steps to follow in order to use this new feature through the IBM Cloud CLI.
1. Download and install the latest v0.15.0 of IBM Cloud CLI or run the following command to update your CLI to latest version if you already have a prior version of IBM Cloud CLI installed:
2. Create a service ID if you don’t already have one:
ibmcloud iam service-id-create SERVICE_ID_NAME
3. At a minimum, assign a “Viewer” role of “billing” service for your service ID:
ibmcloud iam service-policy-create SERVICE_ID_NAME --roles Viewer --service-name billing
4. Create an API key for your service ID:
ibmcloud iam service-api-key-create API_KEY_NAME SERVICE_ID_NAME
5. Log in IBM Cloud with the service ID API key:
ibmcloud login --apikey KEY
After logging in with the service ID API key, you will be able to use other command lines to manage your cloud resources.
Please note that you cannot manage your Cloud Foundry applications and services if you logged in with service ID. The UAA token used by Cloud Foundry needs to be associated with a user ID, so you can not exchange a UAA token from the IAM token you get from the authentication with a service ID API key.