IBM Cloud supports resource sharing between accounts. In this blog post, we discuss use cases and get you started with our new tutorial.
An innumerable number of services are offered on the Internet. If you’re like me, you probably own accounts at many service providers for email, messaging, storage, music, news, source code management and more. To use these services, you typically access them with a combination of user identity (ID) and password or by providing some form of API key or access token—maybe even with some added second-factor authentication.
Similar options exist for services in a cloud-native, microservices-based application. With all the services available in IBM Cloud, thanks to Identity and Access Management (IAM), additional options for app-to-service and service-to-service access exist. So-called service bindings allow the automatic creation and exchange of credentials. Service-to-service authorizations even grant a source service permissions on a target service. Such access is not limited to services in the same account. Authorizations can be given to source services in other IBM Cloud accounts—an enterprise is not required (see screenshot below).
In this blog post, I’ll discuss typical use cases for sharing resources (services) across accounts. Moreover, I’ll show you how to learn more and implement those scenarios on your own with the help of our new tutorial: Resource sharing across accounts.
Resource-sharing use cases
It is not unusual to find multiple applications access and use the same resource (or parts of it). One example is when applications and compute environments have to live on the same corporate network. Another scenario is that security logs are collected in central storage.
A microservices architecture requires us to configure services to access and use external resources. In turn, the shared resources must authorize access, and the network between them is configured to support such collaboration, but not more. Some typical use cases of resource sharing include the following:
- Central management of security-related infrastructure: Monitor security from a dedicated account and aggregate security logs in a single place. Manage all encryption keys in central key management systems (KMS). (See the diagram below.)
- Coordination of network addresses and subnets: Applications and compute environments need to fit into the same network and require the sharing of address ranges and domain names.
- Central management of resources for disaster recovery, including backup services like IBM Cloud Backup: Applications and their services may be designed for high availability, but additional centrally organized resources might be available to fall back to in the worst case. This includes holding multiple resource copies available worldwide (e.g., stored in replicated IBM Cloud Object Storage buckets).
- Control costs by sharing more expensive services where possible: Not every development project needs to have all services deployed as dedicated instances. Often, it is enough to share service instances—within accounts or across. Even for production environments, service instances might be shared depending on their cost/value factor and technical feasibility. This can be organized by restricting available services in an account, utilizing private catalogs and restricting the public catalog, then centrally providing instances of restricted services.
- Central management of resources on a corporate level or for a business unit: This could be assets needed for branding or centrally managed templates, base images (e.g., virtual machines, containers) and more. Again, private catalogs and the Container Registry are typical services.
- Make scarce resources available to more users: Sometimes, a resource type is only available in limited quantity. By sharing, more applications can benefit from it. This may require rate limiting.
To learn more about how to share resources within IBM Cloud with service-to-service authorizations and other techniques, check out the new IBM Cloud solution tutorial: Resource sharing across accounts.
After looking into typical use cases, it discusses resource sharing of security resources (see diagram above) and network resources. Then, the tutorial shows how to implement resource sharing and provides IBM Cloud CLI (Command Line Interface) and Terraform examples. Moreover, you will find an overview of IBM Cloud services that support service-to-service authorization or are typically used across accounts.
The tutorial has a related GitHub repository with Terraform code snippets you can use to easily get started. The following are a few resources to help you along the way:
- IBM Cloud solution tutorial: Resource sharing across accounts
- Blog post: Terraform multi-account setup for IBM Cloud and related code on GitHub.
- GitHub repository with code samples: Sharing resources across IBM Cloud accounts