Updated Authorization Behavior for IBM Cloud Service IDs

2 min read

What are IBM Cloud service IDs?

An IBM Cloud service ID identifies a service or application, similar to how a user ID identifies a user. A service ID that you create can be used to give an application outside of IBM Cloud access to your IBM Cloud services. You can assign specific access policies to the service ID that restrict permissions for using specific services, or you can even combine permissions for accessing different services.

If you create service instances in IBM Cloud or are adding service credentials to a service instance in IBM Cloud, this also creates an IBM Cloud service ID for you. For more information about service IDs, see "Creating and working with service IDs."

How was authorization for IBM Cloud service IDs done before?

Whenever a service ID is created in IBM Cloud, the user ID that initiated the creation is an administrator of this specific service ID. Technically, a new policy is created that gives the user ID the Administrator role on the specific service ID. This happens if you create a service ID manually, but also if you create the service ID indirectly (e.g., when creating service credentials for a service instance). 

In many cases, this policy is redundant, as the user might already have access to all IBM Cloud service IDs because they are the account owner or have an access policy with Administrator role on the IAM Identity service. Nevertheless, this policy exists in your IBM Cloud account and counts toward the limits of IAM entities.

How does authorization behavior for IBM Cloud service IDs work now?

Important: The new authorization behavior described below takes effect on May 27, 2020.

If you create a service ID manually or a service ID is automatically created for you when you create a service instance or add service credentials, IBM Cloud IAM now validates if your user ID is already authorized to execute all actions that an administrator for that service ID would be allowed to execute. If your user ID is already authorized to execute all actions, no access policy is created. If your user ID is not authorized to execute all actions, or if your user ID is authorized to execute only a subset of the actions that an administrator is allowed to execute, a policy is created (like today) to make you an administrator for this service ID.

The overall authorization behavior does not change. After creating the service ID, you have the exact same authorization that you would have had before. Nevertheless, IBM Cloud IAM potentially creates one policy less than before. The probability is very low, but if you or your application relies on this policy, you might need to adjust your behavior. 

See troubleshooting for IAM in case you encounter issues.

Be the first to hear about news, product updates, and innovation from IBM Cloud