Authentication - IBM Cloud

To work with the API, authenticate your app or service by including your IAM access token, and service instance GUID (ID) in API requests.

You can use the IBM Cloud CLI to quickly generate your personal Cloud IAM access token.

Log in to IBM Cloud® with the IBM Cloud CLI.
```
ibmcloud login
```
If the login fails, run the ibmcloud login --sso command to try again. The --sso parameter is required when you log in with a federated ID. If this option is used, go to the link listed in the CLI output to generate a one-time pass code.
Select the account, region, and resource group that contain your provisioned instance of IBM® MQ as a Service.
Run the following command to retrieve your Cloud IAM access token.
```
ibmcloud iam oauth-tokens
```
The following truncated example shows a retrieved IAM token.
IAM token: Bearer eyJraWQiOiIyM...
To retrieve your Service Instance GUID:

Run the following command substituting in your Service Instance name here {service-instance-name} and extract the value of the field guid.
```
ibmcloud resource service-instance {service-instance-name} --output JSON
```
You can build your API request by pairing a service endpoint with your authentication credentials. For example, if you created a IBM MQ as a Service instance for the eu-de region, use the following endpoint and API headers to retrieve queue managers in your service instance:
```
curl -X GET \
    -H "Accept: application/json" \
    -H "Authorization: Bearer <access_token>" \
    "https://api.private.eu-de.mq2.cloud.ibm.com/v1/<guid>/queue_managers"
```
Replace <access_token> with your IBM Cloud IAM token, and <guid> with the Service Instance GUID (ID) that identifies your IBM MQ as a Service instance.

To call each method, you'll need to be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see Assigning access to account management services.

To retrieve your access token:
```
curl -X POST "https://iam.cloud.ibm.com/identity/token" --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' --data-urlencode 'apikey=<API_KEY>'
```
Replace <API_KEY> with your IAM API key.

Curl example

To retrieve your access token:

curl -X POST "https://iam.cloud.ibm.com/identity/token" --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' --data-urlencode 'apikey=<API_KEY>'

Replace <API_KEY> with your IAM API key.

Go example

Setting client options through external configuration.

Example environment variables, where <ENDPOINT_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IBMCLOUD_MQCLOUD_CONFIG_ENDPOINT=<ENDPOINT_URL> export IBMCLOUD_APIKEY=<API_KEY> export IBMCLOUD_IAM_API_ENDPOINT="https://iam.cloud.ibm.com"

Example of constructing the service client:

import ( "log""os""github.com/IBM/go-sdk-core/v5/core""github.com/IBM/mqcloud-go-sdk/mqcloudv1" ) ... authenticator := &core.IamAuthenticator{ ApiKey: os.Getenv("IBMCLOUD_APIKEY"), URL: os.Getenv("IBMCLOUD_IAM_API_ENDPOINT") + "/identity/token", } mqcloudV1Options := &mqcloudv1.MqcloudV1Options{ URL: os.Getenv("IBMCLOUD_MQCLOUD_CONFIG_ENDPOINT"), Authenticator: authenticator, } mqcloudService, err := mqcloudv1.NewMqcloudV1(mqcloudV1Options) if err != nil { log.Fatalf("Failed to create MQ Cloud Service Client: %v", err) }