IBM Cloud Functions is now enabled for Identity and Access Management (IAM), the mechanism used across IBM Cloud to control access to resources by users or applications.
IBM Cloud Functions now takes advantage of IAM integration to provide flexible and granular access control of your functions resources and control access of functions to other resources, such as a Cloudant service instance.
A quick look at the IAM concepts
IAM uses Identities, Resources, and Policies to control access. Let's see how this maps to our Cloud Functions service and what you can achieve by leveraging these concepts.
The resources in the IBM Cloud are typically instances of a service, such as a database instance or a Kubernetes cluster. In Cloud Functions, we are using the namespace as such a resource instance, and you can now explicitly create a namespace.
Since all IBM Cloud resources are identified by their cloud resource name (CRN), a Cloud Functions namespace also has a CRN assigned. For more information about resource names, see Cloud Resource Names.
Identities are the subjects that require access to IBM Cloud resources. Usually, an identity is represented by a user or a user group. IAM also supports Service Identities, which represent a functional user for an application or service.
When you create a new Functions namespace, we also create a Service Identity for you. This Service Identity can be seen as functional user representing the namespace. It can be used to manage the access of namespace actions to other resources and services. We'll cover that below.
For convenience, we also provide an API key that is associated with the namespace Service Identity. This API key can be used to easily derive a token representing the identity when accessing an IAM-enabled IBM Cloud resource.
Policies define certain access rules and are sometimes referred to as Roles. A policy defines an access role for a certain Identity on a certain Resource. For example, a policy can define that a user 'A' has read access to a resource 'B.' The resource in this example might be a Cloud Functions namespace.
How this is used in Cloud Functions
Up until now, namespaces in Cloud Functions were based on Cloud Foundry organizations and spaces. There is an associated Cloud Functions namespace for each combination. The newly introduced IAM-enabled namespaces are independent and can be directly created using the GUI or CLI. Creating entities such as actions and triggers doesn't change with IAM-enabled namespaces. Access to these entities is granted by defining the access to the namespace using IAM policies (see below).
When you are working with Cloud Functions, you have to consider two different access flows: the inbound and the outbound flows.
Inbound access is the typical use case where you are accessing or invoking a Cloud Functions action. In the case of an IAM-enabled namespace, you have to provide an IAM token for authentication which represents an identity. You can define policies in IAM to control the access a certain identity has within a namespace by assigning the appropriate role.
With policies, you can easily control who has Writer access—and can, therefore, modify the action—and who has Reader access—and, therefore, can only read the action code and invoke the action.
For more information about the supported roles and their access rights, see the Functions IAM docs.
If Cloud Functions actions are invoked by other services programmatically, you can create additional Functions users by using the IAM Service ID concept and use these IDs when invoking the action. To do this, you can put the necessary policies in place for these Service IDs.
Outbound access is the case when your action code calls out to another IBM Cloud service or resource. If that is an IAM-enabled resource, the action code must provide a token for authentication. Any ID can be used to derive a token, as long as the appropriate policy for that identity is in place.
As described above, we are creating one service identity for each namespace which can be used as a functional ID to access IBM Cloud resources. In that case, you simply define the policies in IAM using this namespace service ID to grant access to other resources for the Cloud Functions namespace, independent of who calls the action in the end.
Cloud Functions provides the namespace identity as action metadata for use by the action code (see Namespace access documentation for details).
You can start using the new access management capabilities of IAM on IBM Cloud Functions by simply creating a new IAM-enabled namespace.
To find out more details on IBM Cloud Function, see our our Getting Started page.