
Configuring IAM Users for IBM MQ as a Service for AWS
How to manage users for the IBM® MQ as a Service AWS Reserved Instance plan.
-
To manage a user who has already been added to the IBM MQ service instance, first remove them from the User credentials tab before re-adding them by assigning a role in IAM.
-
IAM users with pending invites must accept the invitation before they can be assigned access to IBM MQ.
-
It can take a few minutes for changes in access to be reflected in the IBM MQ service instance.
-
You require Account viewer and Service admin access to the specific instance to manage users and service ids for that instance.
-
You require Account viewer, Account admin, and Service admin access to the specific instance to manage user groups for that instance.
-
You must have the Service admin and MQ admin roles assigned to access the IBM MQ console.
Use case
The following guide shows how an IBM MQ as a Service administrator can create and manage user permissions by using Service IDs and User Groups rather than by using IBM MQ as a Service directly. It is recommended that you manage your users directly in IAM. Using this method enables IBM MQ administrators and IAM administrators to have least privilege access and provides a central management location.
Creating and managing users in IAM
Create and manage individual users:
- Create a user:
- Navigate to your subscription and click on your instance.
- Click on Manage access. You are redirected to Access Management console.
- Navigate to Users tab.
- Create a new user by clicking on Add users.
- Enter the mail id and click on Add.Important: Note down the ID against the user, this can be used for retrieving the username
- Assign IBM MQ access to an existing user:
- Got to the Access Management console.
- Select the user.
- Click Assign roles under Assigned roles tab.
- Configure access:
- Resource
- Select Services.
- Subscription
- Select the subscription ID.
- Service Instance
- Select the Service Instance.
- Role
- Roles and actions should be based on specific needs:
- MQ application grants messaging-level access (the ability to put and get messages to Queue Managers).
- MQ admin grants full admin access to the IBM MQ as a Service Queue Managers (full administration access, ability to create Queues, and so on).
- Click Assign roles
- The user receives an invitation via email.
- The user must accept the invitation and become active before access is granted.
- Retrieve a username:
- Navigate to your Service Instance UI
- Go to the IAM-Managed Credentials tab
- You can retrieve the username against the ID that you noted when you created the user in Step 1.
Create and manage service IDs
- Create a Service ID:
- Navigate to your subscription and click on your instance.
- Click on Manage access. You are redirected to Access Management console.
- Navigate to the Service IDS tab.
- Click Create Service ID
- Provide the following information:
- Name
- Provide a descriptive name, for example, "
app1-producer". - Resource
- Specify access to instances.
- Subscription
- Select the subscription ID.
- Instance
- Select the service instance ID.
- Role
- Roles and actions should be based on specific needs:
- MQ application grants messaging-level access (the ability to put and get messages to Queue Managers).
- MQ admin grants full admin access to the IBM MQ as a Service Queue Managers (full administration access, ability to create Queues, and so on).
- Click Create.Important: Note down the ID against the Service ID, this can be used for retrieving the username
- Create API Key for Service ID:
- Select the created Service ID.
- Go to API Keys tab.
- Click Generate API Key.
- Provide the following information:
- Type
- Specify Service ID.
- Service ID
- Choose the service ID that you created.
- Expiration Date
- Set an expiration date.
- Click Generate Key.Important: Save the API key securely (it is only displayed once).
- Retrieve a username:
- Navigate to your Service Instance UI
- Go to the IAM-Managed Credentials tab
- You can retrieve the username against the ID that you noted when you created the Service ID in Step 1.
Create and Manage User Groups
- Create the user group:
- Navigate to your subscription and click on your instance.
- Click on Manage access. You are redirected to Access Management console.
- Navigate to the User Groups tab.
- Click Add User Group.
- Provide the following information:
- Name
- Provide a descriptive name, for example, "
mq-admins-team1". - Description
- Specify the purpose of the group.
- Under Group Roles, provide the following information:
- Resource
- Specify Services.
- Subscription
- Select the subscription ID.
- Instance
- Select the service instance ID.
- Role
- Specify the role for members of the group:
- MQ application grants messaging-level access (the ability to put and get messages to Queue Managers).
- MQ admin grants full admin access to the IBM MQ as a Service Queue Managers (full administration access, ability to create Queues, and so on).
- Click Create Group.
- Add users to the group:
- Select the created User Group.
- Go to Users tab.
- Click Add Users to User group.
- Select users to add to the group.Important: Users must be active (have accepted an invitation).
- Retrieve a username:
- Navigate to your Service Instance UI
- Go to the IAM-Managed Credentials tab
- You can retrieve the username against the ID of the user.