reserved instanceAWS

Configuring IAM Users for IBM MQ as a Service for AWS

How to manage users for the IBM® MQ as a Service AWS Reserved Instance plan.

Note: The following points apply to managing IAM users for IBM MQ as a Service:
  • To manage a user who has already been added to the IBM MQ service instance, first remove them from the User credentials tab before re-adding them by assigning a role in IAM.

  • IAM users with pending invites must accept the invitation before they can be assigned access to IBM MQ.

  • It can take a few minutes for changes in access to be reflected in the IBM MQ service instance.

  • You require Account viewer and Service admin access to the specific instance to manage users and service ids for that instance.

  • You require Account viewer, Account admin, and Service admin access to the specific instance to manage user groups for that instance.

  • You must have the Service admin and MQ admin roles assigned to access the IBM MQ console.

Use case

The following guide shows how an IBM MQ as a Service administrator can create and manage user permissions by using Service IDs and User Groups rather than by using IBM MQ as a Service directly. It is recommended that you manage your users directly in IAM. Using this method enables IBM MQ administrators and IAM administrators to have least privilege access and provides a central management location.

Creating and managing users in IAM

Create and manage individual users:

  1. Create a user:
    1. Navigate to your subscription and click on your instance.
    2. Click on Manage access. You are redirected to Access Management console.
    3. Navigate to Users tab.
    4. Create a new user by clicking on Add users.
    5. Enter the mail id and click on Add.
      Important: Note down the ID against the user, this can be used for retrieving the username
  2. Assign IBM MQ access to an existing user:
    1. Got to the Access Management console.
    2. Select the user.
    3. Click Assign roles under Assigned roles tab.
    4. Configure access:
      Resource
      Select Services.
      Subscription
      Select the subscription ID.
      Service Instance
      Select the Service Instance.
      Role
      Roles and actions should be based on specific needs:
      • MQ application grants messaging-level access (the ability to put and get messages to Queue Managers).
      • MQ admin grants full admin access to the IBM MQ as a Service Queue Managers (full administration access, ability to create Queues, and so on).
    5. Click Assign roles
    6. The user receives an invitation via email.
    7. The user must accept the invitation and become active before access is granted.
  3. Retrieve a username:
    1. Navigate to your Service Instance UI
    2. Go to the IAM-Managed Credentials tab
    3. You can retrieve the username against the ID that you noted when you created the user in Step 1.

Create and manage service IDs

  1. Create a Service ID:
    1. Navigate to your subscription and click on your instance.
    2. Click on Manage access. You are redirected to Access Management console.
    3. Navigate to the Service IDS tab.
    4. Click Create Service ID
    5. Provide the following information:
      Name
      Provide a descriptive name, for example, "app1-producer".
      Resource
      Specify access to instances.
      Subscription
      Select the subscription ID.
      Instance
      Select the service instance ID.
      Role
      Roles and actions should be based on specific needs:
      • MQ application grants messaging-level access (the ability to put and get messages to Queue Managers).
      • MQ admin grants full admin access to the IBM MQ as a Service Queue Managers (full administration access, ability to create Queues, and so on).
    6. Click Create.
      Important: Note down the ID against the Service ID, this can be used for retrieving the username
  2. Create API Key for Service ID:
    1. Select the created Service ID.
    2. Go to API Keys tab.
    3. Click Generate API Key.
    4. Provide the following information:
      Type
      Specify Service ID.
      Service ID
      Choose the service ID that you created.
      Expiration Date
      Set an expiration date.
    5. Click Generate Key.
      Important: Save the API key securely (it is only displayed once).
  3. Retrieve a username:
    1. Navigate to your Service Instance UI
    2. Go to the IAM-Managed Credentials tab
    3. You can retrieve the username against the ID that you noted when you created the Service ID in Step 1.

Create and Manage User Groups

User Groups allow you to manage access for multiple users centrally.
  1. Create the user group:
    1. Navigate to your subscription and click on your instance.
    2. Click on Manage access. You are redirected to Access Management console.
    3. Navigate to the User Groups tab.
    4. Click Add User Group.
    5. Provide the following information:
      Name
      Provide a descriptive name, for example, "mq-admins-team1".
      Description
      Specify the purpose of the group.
    6. Under Group Roles, provide the following information:
      Resource
      Specify Services.
      Subscription
      Select the subscription ID.
      Instance
      Select the service instance ID.
      Role
      Specify the role for members of the group:
      • MQ application grants messaging-level access (the ability to put and get messages to Queue Managers).
      • MQ admin grants full admin access to the IBM MQ as a Service Queue Managers (full administration access, ability to create Queues, and so on).
    7. Click Create Group.
  2. Add users to the group:
    1. Select the created User Group.
    2. Go to Users tab.
    3. Click Add Users to User group.
    4. Select users to add to the group.
      Important: Users must be active (have accepted an invitation).
  3. Retrieve a username:
    1. Navigate to your Service Instance UI
    2. Go to the IAM-Managed Credentials tab
    3. You can retrieve the username against the ID of the user.