Authorizing resources with IAM trusted profiles

Virtual Private Cloud Classic infrastructure Satellite

Learn how to setup access to or for your resources by using trusted profiles.

You can enable IAM trusted profiles by running the ibmcloud oc cluster master refresh command.

Creating an IAM trusted profile

To create a trusted profile in your account, see Creating trusted profiles in the IAM documentation. Note that to create a trusted profile, you must be the account owner. Additionally, the following access roles are required.

Administrator role for all account management services.
Administrator role on the IAM Identity Service. For more information, see IAM Identity Service.

Configure your application pods to authenticate with IBM Cloud services

Give application pods that run in your Red Hat® OpenShift® on IBM Cloud® cluster access to IBM Cloud services by using trusted profiles in IBM Cloud Identity and Access Management (IAM). As a developer, you can configure your application pods to authenticate with IBM Cloud services in clusters that are linked to an IAM trusted profile set up.

To complete these steps, you do not need to have the administrator access role. However, you must meet the following requirements: Viewer platform access role; Writer service access role for the cluster in IBM Cloud IAM for Kubernetes Service; the iam-identity.profile.create and iam-identity.profile.linkToResource actions for the IAM identity service.

Before you begin:

Access your Red Hat OpenShift cluster.
Make sure that your account administrator created an IAM trusted profile for your cluster.

To configure your application pods to authenticate with IBM Cloud services:

Design your pod configuration file to use service account token volume projection.
1. In the containers section, mount the identity token in the volumeMounts section.
```
...
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: sa-token
```
2. In the volumes section, set up the service account token volume projection.
  
  Modify the expirationSeconds field to control how long the token is valid for. To retrieve IAM tokens, the service account token expiration must be 1 hour or less.
```
...
volumes:
  - name: sa-token
    projected:
      sources:
      - serviceAccountToken:
          path: sa-token
          expirationSeconds: 3600
          audience: iam
...
```
Design your app to exchange the service account projected token for an IAM token that you can use for subsequent API calls to IBM Cloud services. Review the following example authentication request. Replace ${profile_id} with the ID of the trusted profile that the cluster is linked to. To list available profile IDs, you or the account administrator can use the ibmcloud iam tps command, the GET 'https://iam.cloud.ibm.com/v1/profiles/?account_id=<account_id>', or you can view the trusted profiles in the IAM console.
```
curl -s -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Accept: application/json" \
    -d grant_type=urn:ibm:params:oauth:grant-type:cr-token \
    -d cr_token=$(cat /var/run/secrets/tokens/sa-token) \
    -d profile_id=${profile_id} \
    https://iam.cloud.ibm.com/identity/token
```

Before your app is deployed, try the following example Kubernetes job to test the token exchange. In the following Kubernetes job, a curl pod makes an API request to IBM Cloud IAM to verify that the cluster's public key is exchanged for an IAM access token. Your app might call other IBM Cloud services that the trusted profile authorizes.

apiVersion: batch/v1
kind: Job
metadata:
  name: token-exchange-job
  namespace: default
spec:
  template:
    spec:
      containers:
      - name: curl
        image: curlimages/curl:7.77.0
        command: ["/bin/sh"]
        args: ["-c", "curl -s -H \"Content-Type: application/x-www-form-urlencoded\" -H \"Accept: application/json\" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$(cat /var/run/secrets/tokens/sa-token) -d profile_id=<profile_id> https://iam.cloud.ibm.com/identity/token"]
        volumeMounts:
        - mountPath: /var/run/secrets/tokens
          name: sa-token
      restartPolicy: Never
      serviceAccountName: default
      volumes:
      - name: sa-token
        projected:
          sources:
          - serviceAccountToken:
              path: sa-token
              expirationSeconds: 3600
              audience: iam

Deploy the job.
```
kubectl apply -f exchange-job.yaml
```
Review the job details to verify it was successful.
```
oc describe job token-exchange-job
```
Review the output for the job completed and succeeded messages to verify the job was a success.
If the job succeeded, check your Activity Tracker global events in Frankfurt to verify the log line with details on the Trusted Profile request. If the job failed, review your configuration and try again.