IAM commands (iam)

Learn about the cloudctl iam commands that you can run to manage your API keys, IDs, and service policies.

cloudctl iam

cloudctl iam accounts

List all accounts.

cloudctl iam accounts

cloudctl iam api-key

List details of an API key.

cloudctl iam api-key NAME  [--uuid]

OPTIONS:
   --uuid  Display only uuid

cloudctl iam api-key-create

Create an API key.

cloudctl iam api-key-create NAME  [-d, --description DESCRIPTION] [-f, --file FILE]

OPTIONS:
   -d value, --description value  Description of the API key
   -f value, --file value         Save API key information to specified file, if not set, the JSON content will be displayed

cloudctl iam api-key-delete

Delete an API key.

cloudctl iam api-key-delete NAME [-f, --force]

OPTIONS:
   -f, --force  Delete without confirmation

cloudctl iam api-key-update

Update an API key.

cloudctl iam api-key-update NAME [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

OPTIONS:
   -d value, --description value  New description of the API key
   -f, --force                    Update without confirmation
   -n value, --name value         New name of the API key

cloudctl iam api-keys

List all API keys.

cloudctl iam api-keys

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam group-import

Import a group from an LDAP connection.

Note: You must add the group to a team and assign a role to the group. Only then, the users in the group can log in by using cloudctl. For more information about the command to add a group to a team and assign a role, see cloudctl iam team-add-groups.

cloudctl iam group-import -g searchFilter

OPTIONS:
   -c value, --connection value  The ID of the LDAP connection
   -f, --force                   Import without confirmation
   -g value, --group value       A LDAP search filter for the groups to import

cloudctl iam group-remove

Remove one or more group(s).

cloudctl iam group-remove groupID1,groupID2,...

OPTIONS:
   -f, --force  Remove without confirmation

cloudctl iam groups

List all imported groups.

cloudctl iam groups

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam ldap-create

Create a new LDAP connection.

cloudctl iam ldap-create NAME --basedn BASEDN --server SERVER --group-filter GROUP-FILTER --group-id-map GROUP-ID-MAP --group-member-id-map GROUP-MEMBER-ID-MAP --user-filter USER-FILTER --user-id-map USER-ID-MAP [--binddn BINDDN] [--binddn-password BINDDN-PASSWORD] [-t TYPE]

OPTIONS:
   --basedn value               The distinguished name of the search base
   --binddn value               The user who is allowed to search the base DN, if not given, the LDAP connection is established without authentication
   --binddn-password value      The password of the user who is mentioned in the binddn
   --group-filter value         The filter clause for searching groups
   --group-id-map value         The filter to map a group name to an LDAP entry
   --group-member-id-map value  The filter to map a user to a group
   --server value               The LDAP directory URL
   -t value, --type value       Type of the LDAP server being used, default value is Custom
   --user-filter value          The filter clause for searching users
   --user-id-map value          The filter to map a user name to an LDAP entry

cloudctl iam ldap-delete

Delete an LDAP connection.

cloudctl iam ldap-delete

OPTIONS:
   -c value, --connection value  The ID of the LDAP connection
   -f, --force                   Delete without confirmation

cloudctl iam ldap-get

Get LDAP connection details.

cloudctl iam ldap-get

OPTIONS:
   -c value, --connection value  The ID of the LDAP connection

cloudctl iam ldaps

List all LDAP connections.

cloudctl iam ldaps

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam oauth-client

Display details of a client registration in JSON format.

cloudctl iam oauth-client CLIENT_ID

cloudctl iam oauth-client-delete

Delete one or more client registrations.

cloudctl iam oauth-client-delete [-f] <CLIENT_ID> [CLIENT_ID-2..]

OPTIONS:
   -f  Force the removal of a registered client with no user prompts

cloudctl iam oauth-client-register

Register a client with an authorization service.

cloudctl iam oauth-client-register --file REGISTRATION_JSON_FILE

OPTIONS:
   -f value, --file value  Path to a file containing the client registration JSON data

cloudctl iam oauth-client-update

Update a client registration.

cloudctl iam oauth-client-update CLIENT_ID --file REGISTRATION_JSON_FILE

OPTIONS:
   -f value, --file value  Path to a file containing the client registration JSON data

cloudctl iam oauth-clients

List all registered clients.

cloudctl iam oauth-clients

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam resource-add

Add a resource to a team.

cloudctl iam resource-add <TEAM_ID> -r <RESOURCE_CRN>

OPTIONS:
   -r value, --resources value  Cloud Resource Name of resource to add, can be a comma separated list

cloudctl iam resource-rm

Remove a resource from a team.

cloudctl iam resource-rm <TEAM_ID> -r <RESOURCE_CRN>

OPTIONS:
   -r value, --resources value  Cloud Resource Name of resource to remove; can be a comma-separated list

cloudctl iam resources

List resources for the teams that you are assigned to.

cloudctl iam resources [-t, --team TEAM_ID | -r, --resource-type RESOURCE_TYPE]

OPTIONS:
   --json                           Display output in JSON format
   -r value, --resource-type value  Only return resources of this type. Option 'resource-type' and option 'team' cannot be specified together.
   -s                               Do not show the column headers in the output
   -t value, --team value           Only return resources assigned to this team. Option 'team' and option 'resource-type' cannot be specified together.

cloudctl iam roles

List roles.

cloudctl iam roles

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam saml-disable

Disable SAML authentication.

cloudctl iam saml-disable

cloudctl iam saml-enable

Enable SAML authentication.

cloudctl iam saml-enable

cloudctl iam saml-export-metadata

Export the SAML metadata content to create a SAML integration. Requires SAML to be enabled with 'cloudctl iam saml-enable'.

cloudctl iam saml-export-metadata [--file SAML_XML_FILE]

OPTIONS:
   --file value, -f value  Write the SAML metadata content to file

cloudctl iam saml-status

Get the SAML configuration status.

cloudctl iam saml-status

cloudctl iam saml-upload-metadata

Upload SAML metadata content to complete the SAML integration.

cloudctl iam saml-upload-metadata --file SAML_XML_FILE

OPTIONS:
   --file value, -f value  Read the SAML metadata content from file

cloudctl iam service-api-key

List details of a service API key.

cloudctl iam service-api-key NAME SERVICE_ID_NAME [--uuid]

OPTIONS:
   --uuid  Display only uuid

cloudctl iam service-api-key-create

Create a service API key.

cloudctl iam service-api-key-create NAME SERVICE_ID_NAME [-d, --description DESCRIPTION] [-f, --file FILE]

OPTIONS:
   -d value, --description value  Description of the API key
   -f value, --file value         Save API key information to specified file, if not set, the JSON content will be displayed

cloudctl iam service-api-key-delete

Delete a service API key.

cloudctl iam service-api-key-delete NAME SERVICE_ID_NAME [-f, --force]

OPTIONS:
   -f, --force  Delete without confirmation

cloudctl iam service-api-key-update

Update a service API key.

cloudctl iam service-api-key-update NAME SERVICE_ID_NAME [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

OPTIONS:
   -d value, --description value  New description of the service API key
   -f, --force                    Update without confirmation
   -n value, --name value         New name of the service API key

cloudctl iam service-api-keys

List all API keys of a service.

cloudctl iam service-api-keys SERVICE_ID_NAME

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam service-id

Display details of a service ID.

cloudctl iam service-id NAME [--uuid]

OPTIONS:
   --uuid  Display the UUID of the service ID

cloudctl iam service-id-create

Create a service ID.

cloudctl iam service-id-create NAME [-d, --description DESCRIPTION]

OPTIONS:
   -d value, --description value  Description of the service ID

cloudctl iam service-id-delete

Delete a service ID.

cloudctl iam service-id-delete NAME [-f, --force]

OPTIONS:
   -f, --force  Delete without confirmation

cloudctl iam service-id-update

Update a service ID.

cloudctl iam service-id-update NAME [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

OPTIONS:
   -d value, --description value  New description of the service ID
   -f, --force                    Update without confirmation
   -n value, --name value         New name of the service ID

cloudctl iam service-ids

List all service IDs.

cloudctl iam service-ids --uuid

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output
   --uuid  Show UUID of service IDs only

cloudctl iam service-policies

List all service policies of specified service.

cloudctl iam service-policies SERVICE_ID_NAME [--json]

OPTIONS:
   --json  Display policy in JSON format

cloudctl iam service-policy

Display details of a service policy.

cloudctl iam service-policy SERVICE_ID_NAME POLICY_ID [--json]

OPTIONS:
   --json  Display policy in JSON format

cloudctl iam service-policy-create

Create a service policy.

cloudctl iam service-policy-create SERVICE_ID_NAME {-r, --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME]} [-f, --force]

OPTIONS:
   -f, --force              Create service policy without confirmation
   -r value, --roles value  Role names of the policy definition; for supported roles, run 'cloudctl iam roles'
   --service-name value     Service name of the policy definition

cloudctl iam service-policy-delete

Delete a service policy.

cloudctl iam service-policy-delete SERVICE_ID_NAME POLICY_ID [-f, --force]

OPTIONS:
   -f, --force  Delete without confirmation

cloudctl iam service-policy-update

Update a service policy.

cloudctl iam service-policy-update SERVICE_ID_NAME POLICY_ID --roles ROLE_NAME1,ROLE_NAME2... --service-name SERVICE_NAME [-f, --force]

OPTIONS:
   -f, --force              Update service policy without confirmation
   -r value, --roles value  Role names of the policy definition; for supported roles, run 'cloudctl iam roles'
   --service-name value     Service name of the policy definition

cloudctl iam team-add-groups

Note: You must import the user group from your LDAP server before you add the group to a team. For the command to import user groups, see cloudctl iam group-import.

Add groups to a team with the defined role.

cloudctl iam team-add-groups TEAM_ID ROLE -g group1ID,group2ID,...]

OPTIONS:
   -g value, --groups value  Groups to add to the team

cloudctl iam team-add-service-ids

Add service ID(s) to a team.

cloudctl iam team-add-service-ids TEAMID -s Service-ID-Name1,Service-ID-Name2,...

OPTIONS:
   -s value, --service-id-names value  Names of service IDs to add to the team

cloudctl iam team-add-users

Note: You must import the user from your LDAP server before you add the user to a team. For the command to import users, see cloudctl iam user-import.

Add users to a team with the defined role.

cloudctl iam team-add-users TEAM_ID ROLE -u user1ID,user2ID,...

OPTIONS:
   -u value, --users value  Users to add to the team

cloudctl iam team-create

Create a team.

cloudctl iam team-create NAME

cloudctl iam team-delete

Delete a team.

cloudctl iam team-delete TEAM_ID [-f, --force]

OPTIONS:
   -f, --force  Delete without confirmation

cloudctl iam team-get

View users and groups for a team.

cloudctl iam team-get TEAM_ID

OPTIONS:
   --TEAM_ID value  ID of team
   --json           Display output in JSON format
   -s               Do not show the column headers in the output

cloudctl iam team-remove-groups

Remove groups from a team.

cloudctl iam team-remove-groups TEAM_ID -g group1ID,group2ID,...

OPTIONS:
   -f, --force               Remove without confirmation
   -g value, --groups value  Groups to remove from the team

cloudctl iam team-remove-service-ids

Remove service ID(s) from a team.

cloudctl iam team-remove-service-ids TEAMID -s Service-ID-Name1,Service-ID-Name2,...

OPTIONS:
   -f, --force                         Remove without confirmation
   -s value, --service-id-names value  Names of service IDs to be removed from the team

cloudctl iam team-remove-users

Remove users from a team.

cloudctl iam team-remove-users TEAM_ID -u user1ID,user2ID,...

OPTIONS:
   -f, --force              Remove without confirmation
   -u value, --users value  Users to remove from the team

cloudctl iam teams

List all teams.

cloudctl iam teams

OPTIONS:
   --json                  Display output in JSON format
   -s                      Do not show the column headers in the output
   -u value, --user value  Return only the teams that contain this user

cloudctl iam user-import

Import a user from an LDAP connection.

Note: You must add the user to a team and assign a role to the user. Only then, the user can log in by using cloudctl. For more information about the command to add a user to a team and assign a role, see cloudctl iam team-add-users.

cloudctl iam user-import -u searchFilter

OPTIONS:
   -c value, --connection value  The ID of the LDAP connection
   -f, --force                   Import without confirmation
   -u value, --user value        A LDAP search filter for the users to import

cloudctl iam user-remove

Remove one or more users.

cloudctl iam user-remove user1ID,user2ID,...

OPTIONS:
   -f, --force  Remove without confirmation

cloudctl iam users

List all imported users.

cloudctl iam users

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam account-create

Create an account.

cloudctl iam account-create acct1

OPTIONS:
   -d, --description Description of the account

cloudctl iam accounts

List all accounts.

cloudctl iam accounts

OPTIONS:
   --json  Display output in JSON format
   -s      Do not show the column headers in the output

cloudctl iam account-delete

Delete an account. You can use the name or account ID in the command.

cloudctl iam account-delete acct1

OPTIONS:
   -f, --force  Delete without confirmation

cloudctl iam user-onboard

Onboard a user to an account.

cloudctl iam user-onboard <account_ID> -r <account_role> -u <user_ID,user2_ID,...>

OPTIONS:
   -r, --role  Account role for user (PRIMARY_OWNER or MEMBER)
   -u, --users A single user or a list of users to onboard. You must separate the list of users by a comma.