IBM Cloud Docs
Required IAM permissions to run the IBM® Cloud Logs migration tool

Required IAM permissions to run the IBM® Cloud Logs migration tool

The IBM® Cloud Logs migration tool requires that you have certain IBM Cloud® Identity and Access Management permissions to successfully migrate your IBM Log Analysis or IBM Cloud Activity Tracker instance configuration to IBM Cloud Logs.

Required permissions to run the migration tool
Service Roles
IBM Cloud Activity Tracker administrator, manager
IBM Cloud Activity Tracker Event Routing administrator, writer
IBM Log Analysis administrator, manager
IBM Cloud Logs manager, administrator, sender
IBM Cloud Object Storage writer [*], editor, service configuration reader, manager [**]
IBM Key Protect viewer, reader
IBM Cloud Logs Routing administrator, manager
Event Notifications manager, Event Source Manager and Reader

[*] IBM Cloud Object Storage buckets with IBM Key Protect configured keys must have the writer role (cloud-object-storage.bucket.list_crk_id) to read the key name.

[**] IBM Cloud Object Storage buckets with Activity tracker or Monitoring enabled must have the manager role (storage.bucket.put_activity_tracking, cloud-object-storage.bucket.put_metrics_monitoring) to create the new buckets with the correct configuration.

You must have permissions in the resource groups where you plan to create resources with the Migration tool.

When you configure your Logging agent to send logs to IBM Cloud Logs, you will need credentials that include the sender role. For more information, see Setting up IAM permissions for ingestion.

If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

Configuring IBM Log Analysis and IBM Cloud Activity Tracker using the CLI

Due to the deprecation of IBM Log Analysis and IBM Cloud Activity Tracker, you might not be able to configure permissions for these two services using the UI. Permissions can be configured using the IBM Cloud CLI.

To configure permissions for IBM Log Analysis, run:

ibmcloud iam user-policy-create <USER_NAME> --roles <ROLES> --servicename logdna

To configure permissions for IBM Cloud Activity Tracker, run:

ibmcloud iam user-policy-create <USER_NAME> --roles <ROLES> --servicename logdnaat

Where:

USER_NAME

Is the IBM Cloud user to be given the specified roles.

ROLES

Is a comma-delimited list of roles authorized for the user.

If you are migrating manually, and not using the migration tool, you will need to configure the manager role as well.