Managing identity and access management (IAM) for IBM® Power® Virtual Servers
IBM Power Virtual Server in IBM data center
IBM Power Virtual Server Private Cloud in Client location
IAM enables you to securely authenticate users, control access to Power® Virtual Server resources with resource groups, and allow access to specific resources for a set of users with access groups. IAM is your one-stop shop for all user and resource management in the IBM Cloud.
Client location To display the Infrastructure capacity navigation menu for the IBM Power Virtual Server Private Cloud when you use a custom role with the power-iaas.pod-capacity.view IAM action, ensure that you have a Viewer role that is assigned in the IAM Access Management service.
For more information about IAM, review the following information:
- Getting started with IAM
- Managing resource groups
- Streamlined access management with access groups
- IAM access concepts
Platform access roles
You can use platform access roles to enable users to complete tasks on IBM Cloud resources, such as creating users or adding services.
The following table displays the IAM platform access roles and the corresponding type of control that is allowed by the Power Virtual Server:
| Platform access role | Type of access allowed |
|---|---|
| Viewer | View instances and list instances. |
| Operator | View instances and manage aliases, bindings (IBM Power Virtual Server Private Cloud in client location only), and credentials. |
| Editor | View instances, list instances, create instances, and delete instances. |
| Administrator | View instances, list instances, create instances, delete instances, and assign policies to other users. |
Service access roles
You can use the service access roles to define the actions that the users can perform on Power Virtual Server resources. The following table displays the IAM service access roles and the corresponding actions that a user can complete by using the Power Virtual Server:
| Service access role | Description of actions |
|---|---|
| Reader | View all resources (such as SSH keys, storage volumes, and network settings). You cannot modify the resources. |
| Manager |
Configure all resources. You can perform the following actions:
|
To see the complete list of actions for each specific role, see the IAM roles and actions page in IBM Cloud documentation.
Resources supported for Power Virtual Server IAM access policies
When you assign access to the Power Virtual Server service, you can scope access to any of the following resources:
- All resources
- Specific resources, which support the following selections:
- Resource group
- Service instance
The access management tags are supported only on Power Virtual Server workspaces. The Power Virtual Server service ignores the access management tags that are attached to the individual resources in a workspace.
Although you can select a Resource type from the Attribute type list, it is not supported. Any roles and actions that are assigned to the Resource type are ignored.
Access role requirements for Power Virtual Server
Power Virtual Server requires extra access for features such as Direct Link, Transit Gateway service, and Virtual Private Cloud. You might require these extra access based on your resource requirements. For example, to create a Cloud connection,
you need accessto the Direct Link service.
The following table displays the additional access roles that are required for the corresponding type of services that are allowed by Power Virtual Server:
| Additional access role | Resources Attributes |
|---|---|
| Editor, Manager, Operator, Reader, Viewer | Power Virtual Server service |
| Editor, Manager, Operator, Reader, Viewer, VPN Client | VPC Infrastructure Services service |
| Editor, Operator, Viewer | Transit Gateway service |
| Reader, Viewer | All resources in account (Including future IAM enabled services) |
| Editor, Operator, Viewer | Direct Link service |
| Viewer | All resource group |
| Viewer | Satellite service Client location |
User access scenarios
For more information about managing and assigning access by using IAM policies, see Managing access to resources.
Understanding trusted profiles for Power Virtual Server
A trusted profile is a security mechanism that eliminates the need to store static secrets, such as IBM Cloud API keys, in potentially vulnerable environments like virtual server instances (VSIs). An IBM Cloud instance is trusted by IBM Cloud IAM as a type of compute resource. As a result, trusted profiles can be used to grant Power Virtual Server VSIs secure access to call other service API endpoints without storing credentials within the instance.
Benefits of using trusted profiles
Using trusted profiles with Power Virtual Server provides several security and operational advantages:
- Enhanced security
- Eliminates the risk of credential exposure by removing the need to store API keys or passwords on your VSIs.
- Simplified credential management
- Eliminates the need to rotate, update, or manage static credentials across your VSI fleet.
- Dynamic authentication
- Applications in the guest OS can generate tokens on demand based on the VSI identity, ensuring that access is always current and tied to the specific instance.
- Reduced attack surface
- Without stored credentials, compromised VSIs cannot expose long-lived secrets that can be used to access other resources.
- Granular access control
- You can assign specific access rights to individual VSIs through IAM policies and access groups.
Managing trusted profiles
You manage trusted profiles through IBM Identity and Access Management (IAM). You can create, configure, and manage trusted profiles from the IBM Cloud Trusted Profiles UI. You can associate each profile with one or more Power Virtual Server VSIs, and you can assign access policies to control which IBM Cloud services and resources the VSIs can access.
Creating a trusted profile for Power Virtual Server
To use trusted profiles with your Power Virtual Server VSIs, you must first create a trusted profile in IAM. You can configure rule-based policies for the VSIs or specify an individual VSI that can use a trusted profile. All configuration is done from within an individual trusted profile.
For more information about creating and managing a trusted profile, see Establishing trust with compute resources in the console.