IBM Cloud Docs
Setting the cluster credentials

Setting the cluster credentials

Red Hat OpenShift on IBM Cloud accesses the infrastructure portfolio and other services that you use in your cluster by using an API key. This API key stores the credentials of a user in the account to the infrastructure and other services. Red Hat OpenShift on IBM Cloud uses the API key to order resources in the service, such as new worker nodes or VLANs in IBM Cloud infrastructure.

By default, the account owner's credentials are stored in the API key. However, to avoid tying your cluster resources to a specific user, such as the account owner, consider using a functional ID instead of a personal user. In the event of the account owner leaving the organization or being removed from the account, a functional ID prevents other users from losing access to the account and prevents disruptions to services and commands requiring certain credentials that might not be available after the account owner leaves.

Need to remove a user from your account? Make sure you reset your API key. See Removing user credentials and permissions.

Resetting the cluster API key

Complete the following steps to reset the API key that is used by the cluster. When the API key is reset, the previous API key that was used, if any, for the region and resource group is now obsolete. You can then delete the old API key from your list of API keys.

If you use the Block Storage for VPC or cluster autoscaler add-ons in your cluster, you must re-create the add-on pods after you reset your API key. For more information, see Block Storage for VPC PVC creation fails after API key reset and Autoscaling fails after API key reset.

Make sure that the user or functional ID that runs this command has the required permissions including the required permissions for other services or integrations. Target the resource group and region that you want to set the API key for.

  1. As the account owner, invite a functional ID to your IBM Cloud.

  2. Assign the functional ID the correct permissions.

  3. Log in as the functional ID or user whose credentials you want to use in the cluster.

    ibmcloud login

  4. Target the resource group the cluster is in.

    If you don't target a resource group, the API key is set for the default resource group. To list available resource groups, run ibmcloud resource groups.

    ibmcloud target -g <resource_group_name>

  5. Reset the API key.

    ibmcloud oc api-key reset --region <region>

  6. Verify that the API key is set up.

    ibmcloud oc api-key info --cluster <cluster_name_or_ID>

  7. Repeat these steps for each region and resource group where you want to reset the cluster API key.

Removing user credentials and permissions

In certain scenarios, such as staffing changes, your organization might need to remove user credentials and permissions from your account. To ensure that processes requiring certain user credentials are not disrupted when a user is removed from the account, you must reset the API key with another user's infrastructure credentials. For more information, see Removing users.