IBM Cloud Docs
Why can't I see a location that another user gave me access to?

Why can't I see a location that another user gave me access to?

You are granted access to another user's Satellite location. However, when you list locations, you do not see the location.

The location owner might have scoped your Satellite access in IBM Cloud IAM to only the location resource type, which prevents the location from returning unless you target the regional endpoint that the location is managed from.

Target the regional endpoint, or ask the location owner to update your permissions.

Target the regional endpoint

  1. Ask the location owner which IBM Cloud multizone region the Satellite location is managed from. For example, the owner can run ibmcloud sat location get --location <location_name_or_ID> and review the Managed from field.
  2. From the CLI, target the regional endpoint, such as Washington, D.C. (us-east) in the following example.
    ibmcloud oc init --host https://us-east.containers.cloud.ibm.com
  3. Verify that you can view the Satellite location.
    ibmcloud sat location ls

If you still cannot view the Satellite location, ask the location owner to check your access policy. If the access policy is scoped to a particular location, the policy must be scoped to the location ID, not to the location's name.

Ask the location owner to update your permissions

Ask the location owner to update your access policy in IBM Cloud IAM so that access to Satellite locations is no longer scoped to locations. The steps vary depending on how the location owner set up your access policy. The following commands provide examples for updating access group and individual policies from the CLI. For more information, see Managing access for Satellite.

  1. Log in to IBM Cloud. If you have a federated account, include the --sso option.
    ibmcloud login [--sso]
  2. List the access policies for the user or access group, and note the Policy ID that grants access to the Satellite location.

    • For individual users

      ibmcloud iam user-policies <user@email.com>

    • For access groups

      ibmcloud iam access-group-policies <access_group>

      Example output

      Policy ID:   11a11111-bb2b-3c33-444d-ee5ee55ee55e
Roles:       Viewer   
Resources:                         
        Service Name    satellite      
        Resource Type   location
  3. Update the access policy so that the policy is no longer scoped to locations.
    • For individual users
      ibmcloud iam user-policy-update <user@email.com> <policy_ID> --roles Viewer --service-name satellite
    • For access groups
      ibmcloud iam access-group-policy-update <group> <policy_ID> --roles Viewer --service-name satellite
      Example output
      Policy ID:   11a11111-bb2b-3c33-444d-ee5ee55ee55e
Version:     2-111aaa1111a1a1aa1a1a11aa11a1aa11
Roles:       Viewer 
Resources:                         
            Service Name    satellite