Removing users
If a user no longer needs specific access permissions, or if the user is leaving your organization, the IBM Cloud account owner can remove that user's permissions.
Checking whether the user's credentials are used for infrastructure permissions
Before you remove a user's specific access permissions or remove a user from your account completely, ensure that the user's infrastructure credentials are not used to set the API key or for the ibmcloud ks credential set
command.
Otherwise, the other users in the account might lose access to the IBM Cloud infrastructure portal and infrastructure-related commands might fail.
To avoid this issue for future users, consider using a functional ID user for the API key owner instead of a personal user. In case the person leaves the team, the functional ID user remains the API key owner.
- Target your CLI context to a region and resource group where you have clusters.
ibmcloud target -g <resource_group_name> -r <region>
- Check the owner of the API key or infrastructure credentials set for that region and resource group.
ibmcloud ks api-key info --cluster <cluster_name_or_id>
ibmcloud ks credential get --region <region>
- API key: If the user's username is returned, use another user's credentials to set the API key.
- Invite a functional ID user to your IBM Cloud account to use to set the API key infrastructure credentials, instead of a personal user. In case a person leaves the team, the functional ID user remains the API key owner.
- Ensure that the functional ID user who sets the API key has the correct permissions.
- Log in as the functional ID.
ibmcloud login
- Change the infrastructure credentials to the functional ID user.
ibmcloud ks api-key reset --region <region>
- Refresh the clusters in the region to pick up on the new API key configuration.
ibmcloud ks cluster master refresh -c <cluster_name_or_ID>
- Infrastructure account: If the user's username is returned as the owner of the infrastructure account, migrate your existing clusters to a different infrastructure account before removing the user. For each cluster that the
user created, follow these steps:
- Check which infrastructure account the user used to provision the cluster.
- In the Worker Nodes tab, select a worker node and note its ID.
- Open the menu and click Classic Infrastructure.
- From the infrastructure navigation pane, click Devices > Device List.
- Search for the worker node ID that you previously noted.
- If you don't find the worker node ID, the worker node is not provisioned into this infrastructure account. Switch to a different infrastructure account and try again.
- Determine what happens to the infrastructure account that the user used to provision the clusters after the user leaves.
- If the user does not own the infrastructure account, then other users have access to this infrastructure account and it persists after the user leaves. You can continue to work with these clusters in your account. Make sure that at least one other user has the Administrator platform access role for the clusters.
- If the user owns the infrastructure account, then the infrastructure account is deleted when the user leaves. You can't continue to work with these clusters. To prevent the cluster from becoming orphaned, the user must delete the clusters
before the user leaves. If the user leaves but the clusters were not deleted, you must use the
ibmcloud ks credential set
command to change your infrastructure credentials to the account that the cluster worker nodes are provisioned in, and delete the cluster. For more information, see Unable to modify or delete infrastructure in an orphaned cluster.
- Check which infrastructure account the user used to provision the cluster.
- Repeat these steps for each combination of resource groups and regions where you have clusters.
Removing IBM Cloud IAM platform permissions and the associated pre-defined RBAC permissions
- Log in to the IBM Cloud console. From the menu bar, select Manage > Access (IAM).
- Click the Users page, and then click the name of the user that you want to remove permissions from.
- In the table entry for the user, click the Actions menu > Remove user.
- When IBM Cloud IAM platform permissions are removed, the user's permissions are also automatically removed from the associated predefined RBAC roles. To update the RBAC roles with the changes, run
ibmcloud ks cluster config
. However, if you created custom RBAC roles or cluster roles, you must remove the user from the.yaml
files for those RBAC role bindings or cluster role bindings. See steps to remove custom RBAC permissions in the next section.
Removing custom RBAC permissions
If you don't need custom RBAC permissions anymore, you can remove them.
- Open the
.yaml
file for the role binding or cluster role binding that you created. - In the
subjects
section, remove the section for the user. - Save the file.
- Apply the changes in the role binding or cluster role binding resource in your cluster.
kubectl apply -f my_role_binding.yaml