IBM Cloud Docs
Logging in with a federated ID

Logging in with a federated ID

As a federated user that uses a corporate or enterprise single sign-on ID, you can log in to IBM Cloud® from the console by using a federated ID and password. You can also log in from the command-line interface (CLI) by using a one-time passcode or an API key.

By using federated IDs, you don't need to set up new login credentials specific to IBM Cloud, for example, by using IBMid. Instead, users in your organization can easily log in to IBM Cloud with their organization credentials through your identity provider (IdP).

When a user logs in, the user gets an IAM token, which is a temporary credential that expires after 1 hour. After that time, the token must be refreshed to secure the connection and to continue accessing account resources to which they are assigned access. For more information about using federated IDs, see Setting up your IBM Cloud account.

Google login isn't available for users with federated IDs. For more information, see known issues and limitations.

Using the console to log in

Use the following steps to log in to the IBM Cloud console:

  1. Go to the IBM Cloud login page.
  2. Enter your ID, and click Continue.
  3. Enter your password.

After you log in, you are directed to the IBM Cloud dashboard, which provides various development, account management, and infrastructure widgets.

Using trusted profiles to log in to the console

Account administrators use trusted profiles to manage specific access for account users. Each profile includes a different set of access policies that map to the roles or actions that you need to be productive. For example, a developer might use access group membership to do their daily work, but at some point during the week they might need to do some operations work in production environments. In this case, the developer would authenticate themselves and then take explicit action to apply a trusted profile that has the access policies they need to do operations work in production.

Applying trusted profiles as an IBMid user

If you are an IBMid user, complete the following steps to log in to the IBM Cloud console by using a trusted profile:

  1. Go to the IBM Cloud login page.
  2. Enter your IBMid, or if you are using single sign-on (SSO), enter your company email address, and click Continue.
  3. Enter your password.
  4. Click Select to choose the trusted profile that your account administrator created for you.

Applying trusted profiles as an App ID user

If you are an App ID user, complete the following steps to log in to the IBM Cloud console by using a trusted profile:

  1. Go to the <DefaultIdPURL> for your organization.

    If you don't know the <DefaultIdPURL>, ask your administrator. They have access to it from the Identity provider page. For more information, see Logging in with external identity provider credentials

  2. Enter your credentials and log in.

  3. Click Select to choose the trusted profile that your account administrator created for you.

Using the CLI to log in

You choose to use either a one-time passcode or an API key to log in by using the CLI. You can find details based on whether you're using the IBM Cloud or Red Hat OpenShift CLI in the following sections.

Using a one-time passcode to log in with the CLI

When you use the one-time passcode option to log in with a federated ID, you specify the single-sign on (SSO) parameter to get a one-time passcode, which you then enter at login.

Because a one-time passcode retrieves code from the IBM Cloud console, it causes the use of a federated ID in your automation script to fail. Avoid trouble by using the API key option with an automated script.

From the IBM Cloud CLI

You can use two different methods to log in with the CLI. For the first method, use the following steps:

  1. Specify the --sso option with the ibmcloud login command.

  2. Follow the URL in the prompt to get the one-time passcode.

  3. Copy and paste the passcode value in the CLI as your input.

    ibmcloud login --sso
    API endpoint: https://cloud.ibm.com
    
    Get One Time Code from https://identity-2.us-south.iam.cloud.ibm.com/identity/passcode to proceed.
    Open the URL in the default browser? [Y/n]>
    One Time Code >
    Authenticating...
    OK
    

If you're already logged in to the console, you can use the following steps:

  1. In the IBM Cloud console, click the Avatar icon Avatar icon > Log in to CLI and API.
  2. Copy the information for the IBM Cloud CLI into the CLI.

From the Red Hat OpenShift CLI

You can log in with a one-time passcode by using the following steps:

  1. Log in to the console, and from the console, click the Avatar icon Avatar icon > Log in to CLI and API.
  2. Copy the information for the Red Hat OpenShift CLI and paste into the CLI.

Using an API key in the CLI for authentication

The required API key is the IBM Cloud API key that is used to authenticate with the IBM Cloud platform, not the classic infrastructure API key, or IBM Cloud service API key.

  1. Create an API key with the ibmcloud iam api-key-create command. Use the --file option to generate an API key file instead of showing the key in the command window:

    ibmcloud iam api-key-create NAME [-d DESCRIPTION] [--file FILE]
    
  2. Log in with the API key. You can use the API key with the IBM Cloud CLI in any of the following ways:

    • Call the API key directly:

      ibmcloud login --apikey <api_key_string>
      
      
    • Call the API key with the key file:

      ibmcloud login --apikey @key_file_name
      
    • Set an environment variable. Additionally, you can also set an environment variable on your system. For example, IBMCLOUD_API_KEY=api_key_string, where api_key_string is the custom value of the API key. After the environment variable is set, you can simply specify ibmcloud login from the CLI.

For Windows 10 PowerShell, you want to use '@key_file_name' with single quotation marks around the key file name.

Using an API key to get an IAM token for authentication

You can use an API key to get an IAM token to access your IBM Cloud services. For example, you can run the following curl command to use an API key that is named MY_APIKEY to get an IAM token:

curl -X POST 'https://iam.cloud.ibm.com/identity/token' -H 'Content-Type: application/x-www-form-urlencoded' -d
'grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=MY_APIKEY'

For more information, see Creating an IAM access token for a user or service ID by using an API key.