Setting Access Control Policies for IBM Cloud Object Storage
As your organization explores more digital initiatives, including cloud and mobile, the importance of identity and access management (IAM) is paramount. Nearly all IT decision makers we talk with agree that IAM is essential to the success of their company’s cloud adoption and it is seen as a key enabler for mobility, analytics and IoT initiatives.
Most digital initiatives, have a common linchpin—they are data intensive and need to be managed consistently and seamlessly across the organization, ensuring that the right services and users are given access to critical data and resources, while providing efficiency and compliance. To help meet this objective, we’ve enabled customer-driven permission identity in our most recent service release by integrating IBM Cloud Object Storage with IBM Identity and Access Manager in the IBM Cloud. You can set Cloud Object Storage bucket-level access policies, selectively grant permissions, assign user roles and control the actions that users and applications can perform. IBM Cloud Identity and Access Management (IAM) allows you to control who has access to the resources in your Cloud Object Storage buckets, as well as other IBM Cloud Services, such as IBM Compute instances. These controls help deliver:
Enhanced Security – IAM enables security best practices by allowing you to grant unique security credentials to users and groups to specify which IBM Cloud Object Storage Buckets they can access. IAM is secure by default; users have no access to Cloud Object Storage resources until permissions are explicitly granted.
Granular control – With access control, you can give users access to only the resources they need at service, service instance, or bucket level. Three pre-defined roles are supported for direct data access: Manager, Writer, and Reader. These give you the ability to control the types of actions users can perform against the data they have access to. The Access Control UI provides a simplified way of specifying policies for your buckets from within the IBM Cloud Object Storage console.
Consistent IAM model for IBM cloud services – IBM® Cloud Identity & Access Management enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud.
How it works
Users, roles, resources, and policies
IAM Access Control enables the assignment of policies for IBM Cloud Object Storage buckets to allow levels of access for managing resources and users within the assigned context. A policy grants a user a role or roles to a set of resources by using a combination of attributes to define the applicable set of resources. When you assign a policy to a user, you first specify the bucket then a role or roles to assign.
You can assign access roles for users and service IDs against buckets, using either the UI or the CLI to create policies. Here are the roles and example actions:
Granting access to a user
If the user needs to be able to use the IBM Cloud console, it is necessary to also grant them a minimum role of Viewer on the instance itself. This will allow them to view all buckets and list the objects within them. Then you can select Bucket permissions, select the user, and assign the level of access (Manager or Writer) that they require.
If the user will interact with data using the API and doesn’t require console access, and they are a member of your account, you can grant access to a single bucket without any access to the parent instance.
Granting access to a service ID
If you need to grant access to a bucket for an application or other non-human entity, use a Service ID. A Service ID can be created specifically for this purpose, or an existing Service ID can be used.
IAM policies are enforced hierarchically from greatest level of access to most restricted. Conflicts are resolved to the more permissive policy. For example, if a user has both the Writer and Reader role on a bucket, the policy granting the Reader role will be ignored. This is also applicable to service instance and bucket level policies.