Granting access to keys
You can enable different levels of access to IBM Cloud® Hyper Protect Crypto Services resources in your IBM Cloud account by creating and modifying IBM Cloud IAM access policies.
As a service administrator or an account owner, determine an access policy type for users, service IDs, and access groups based on your internal access control requirements. For example, if you want to grant user access to Hyper Protect Crypto Services at the smallest scope available, you can assign access to a single key in an instance.
A good practice is to grant access permissions as you invite new users to your account or service. For example, consider the following guidelines:
- Enable user access to the resources in your account by assigning Cloud Identity and Access Management (IAM) roles. Rather than sharing your admin credentials, create new policies for users who need access to the encryption keys in your account. If you are the admin for your account, you are automatically assigned a Manager policy with access to all resources under the account.
- Grant roles and permissions at the smallest scope needed. For example, if a user needs to access only a high-level view of keys within a specified space, grant the Reader role to the user for that space.
- Regularly audit who can manage access control and delete key resources. Remember that granting a Manager role to a user means that the user can modify service policies for other users, in addition to destroying resources.
Granting access to all keys in an instance
You can grant access to keys within a Hyper Protect Crypto Services service instance by using the UI.
Review roles and permissions to learn how IBM Cloud IAM roles map to Hyper Protect Crypto Services actions.
To assign access:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select the user, and click the Actions icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Access policy.
- Under Service, select Hyper Protect Crypto Services and click Next.
- Under Resources, select Specific resources.
- Select the Service Instance ID attribute type, enter the instance ID that is retrieved and click Next.
- Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
- (Optional) Under Conditions (optional), click Review to check the access policy.
- After confirmation, click Add > Assign.
Granting access to a single key in an instance
You can also assign access to a single key in a Hyper Protect Crypto Services service instance.
Step 1. Retrieve the key ID
Retrieve the unique identifier that is associated with the key that you want to grant someone access to.
To get the ID for a specific key, you can:
- Access the UI to browse the keys that are stored in your service instance.
- Use the Hyper Protect Crypto Services key management service API to retrieve a list of your keys, along with metadata about the keys.
Step 2. Create an access policy
Use the retrieved key ID to create an access policy:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select the user, and click the Actions icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Access policy.
- Under Service, select Hyper Protect Crypto Services and click Next.
- Under Resources, select Specific resources.
- Select the Service Instance ID attribute type and enter the instance ID that is retrieved.
- Click Add a condition, enter the following identifying information about the key, and click Next:
- Select Resource Type, and enter
key
. - Select Resource ID, and enter the ID that is assigned to your key by the Hyper Protect Crypto Services service.
- Select Resource Type, and enter
- Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
- (Optional) Under Conditions (optional), click Review to check the access policy.
- After confirmation, click Add > Assign.
Granting access to key rings in an instance
A key ring is a collection of keys that are located within your service instance, in which you can restrict access through IAM access policy. For more information on key rings, see Managing key rings.
You can grant access to key rings within a Hyper Protect Crypto Services instance by using the UI, IAM API, or IAM CLI.
Review roles and permissions to learn how IBM Cloud IAM roles map to Hyper Protect Crypto Services actions.
Granting access to key rings with the UI
To assign access to a key ring with the UI:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select a table row, and click the Actions icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Access policy.
- Under Service, select Hyper Protect Crypto Services and click Next.
- Under Resources, select Specific resources.
- Select the Service Instance ID attribute type and enter the instance ID that is retrieved.
- Click Add a condition, select the Key Ring ID attribute to enter the ID associated with the key ring, and click Next.
- Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
- (Optional) Under Conditions (optional), click Review to check the access policy.
- After confirmation, click Add > Assign.
You can also create an access policy through IAM API or CLI.