Creating a service ID
You can create a service ID that provides your users with specific role permissions for an identified service on your cluster.
Complete the following steps to create a service ID:
Log in to the console with an ID that has cluster administrator access.
In the navigation menu, select Identity and Access > Teams and service IDs.
Click Manage service IDs.
Click Create service ID.
Enter a name and description for your service ID. The name must be a single string that only contains letters, numbers, underscores (_), and hyphens (-).
The binding type is to a namespace.
Select an existing namespace from the list. Selecting the namespace defines the scope of the service ID.
Select Create to create the service ID.
Bind an access policy to the service ID. You must have an associated access policy to identify which roles are affected by the service ID. Complete the following steps:
- Navigate to Identity and Access > Teams and service IDs.
- Click Manage service IDs.
- Select the name of the service ID that you want to update.
- Select the Service policies tab. A list of the access policies that are already associated with that service ID is displayed.
- Select Create access policy to create the access policy.
- Select the role to which you are giving the permissions.
- Select the service type to be managed by this policy. The 3 steps that follow are optional, and narrows the scope of where the service ID has permissions.
- Specify an instance of the selected service type to control limit the access to that instance.
- Enter the resource type and the resource identifier of the specified instance to further narrow the scope of that instance.
- Select Add to associate the access policy with the service ID.
Create an API key for the service ID. By using the API key, the call is identified as coming from this service ID. Complete the following steps:
- As you view the details of the service ID, select the API keys tab.
- Select Create API Key to obtain a key assigned to the service ID.
- Enter the Name and Description for your API key. This helps you identify it when you download it.
- Select Create to download the API key. The key is downloaded as a
.jsonfile to your default location. Remember: You cannot view the API key after you leave this screen.
Click Add teams and select the team that you want to bind with service ID. You must bind a team to the service ID to identify the roles that are affected by the service ID.
To use the cloudctl CLI to complete these steps, see IAM commands (iam).
- cloudctl iam service-id-create
- cloudctl iam service-policy-create
- cloudctl iam service-api-key-create
- cloudctl iam team-add-service-ids
To use APIs to complete these steps, see the following APIs: