API keys in IBM Cloud
Satellite uses API keys from IBM Cloud Identity and Access Management (IAM) to authorize various requests.
Satellite API key
Satellite automatically creates an IBM Cloud IAM API key for you, that impersonates the permissions of the user that creates the location. The API key name is formatted as satellite-<LOCATION_NAME>
.
Container service API key
Satellite uses the API key that is set for the container service, Red Hat OpenShift on IBM Cloud, which is specific to the resource group and region that the Satellite location is managed from.
The API key name is in the format containers-kubernetes-key
. The account owner can reset the API key by logging in to a region and resource group and running ibmcloud ks api-key reset
.
This API key is used to authorize actions to various IBM Cloud services, such as one of the following.
- Red Hat OpenShift on IBM Cloud for clusters.
- IBM Cloud Container Registry for images.
- Service-to-service authorization in IAM for any Satellite-enabled IBM Cloud services that you add to your location.
For more information, see the Red Hat OpenShift on IBM Cloud documentation.
Infrastructure provider credentials
If you create a Satellite location from a template, such as an IBM Cloud Schematics template for AWS, Satellite checks for permissions with an API key. The API key must have the required permissions to create a location, including to IBM Cloud Schematics, which is used to automate the infrastructure creation from the template cloud provider.