Establishing service-to-service authorizations for the Backup service
Before you can create backup policies, you need to establish service-to-service authorizations and specify user roles. This authorization enables the Backup for VPC service to detect the tags, create backup snapshots and store them in Object Storage.
Overview
For IBM Cloud Backup for VPC service to work, you need to provide an authorization for the service. In an authorization, the source service is the service that is granted access to the target service. The roles that you select define the level of access for the source service. The target service is the service that you are granting permission to be accessed by the source service based on the roles that you assign. A source service can be in the same account where the authorization is created or in another account. The target service is always in the account where the authorization is created.
To create a backup policy and for the backup jobs to run correctly, the Backup service needs to be authorized to work with Block Storage for VPC, Snapshots for VPC, and Virtual Server for VPC services.
If you are an Enterprise account administrator who wants to create a backup policy for your enterprise account and subaccounts, you also need to have authorization for the Backup for VPC service in the enterprise account to work with the Backup for VPC service in the subaccounts.
For more information about authorizations, see Using authorizations to grant access between services.
If you set up service authorizations incorrectly, the backup service cannot create the backup policies. For more information, see the troubleshooting topic Backup policy not created due to incorrect authorizations.
Creating authorization policies in the console
Enabling service-to-service authorization for volume backups at the account level
To create a service-to-service authorization policy, follow this procedure:
-
In the IBM Cloud console, go to Manage > Access (IAM).
-
From the side panel, select Authorizations.
-
On the Manage authorizations page, click Create.
-
In the Source section, select the Source account. As you're setting up authorization for the Backup service in your account, select This account. Click Next.
-
For the source service, select VPC Infrastructure Services from the list. Click Next.
- Select the scope by clicking Specific resources.
- Click Select an attribute.
- From the list, select Resource type.
- In the next field, select IBM Cloud Backup for VPC.
- Click Next.
-
For the target service, select VPC Infrastructure Services from the list. Click Next.
- Select the scope by clicking Specific resources.
- Click Select an attribute.
- Click Resource type. Select one of the following services. You need to create authorization for all of them.
Service-to-service authorizations Source service - resource type Target service - resource type Dependent service user role IBM Cloud Backup for VPC Block Storage for VPC Operator IBM Cloud Backup for VPC Block Storage Snapshots for VPC Editor IBM Cloud Backup for VPC Multi Volume Snapshots for VPC Editor IBM Cloud Backup for VPC Virtual Server for VPC Operator -
Click Next.
-
Select the role. See Table 1 for the appropriate role.
-
Click Review and inspect your choices.
-
Click Authorize.
-
When you are returned to the Manage authorizations page, click Create again and follow the same steps to set up authorizations for the remaining services.
Creating cross-account authorization for volume backups for the Enterprise
To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.
-
In the IBM Cloud console, go to Manage > Access (IAM).
-
From the side panel, select Authorizations.
-
On the Manage authorizations page, click Create.
-
In the Source section, select the Source account. As you're setting up authorization for the Backup service of the enterprise account, select Specific account, and enter the Enterprise account's ID. Click Next.
-
For the source service, select VPC Infrastructure Services from the list. Click Next.
- Select the scope by clicking Specific resources.
- Click Select an attribute.
- From the list, select Resource type.
- In the next field, select IBM Cloud Backup for VPC.
- Click Next.
-
For the target service, select VPC Infrastructure Services from the list.
- Select the scope by clicking Specific resources.
- Click Select an attribute.
- Click Resource type. Select one of the services in Table 2. You need to create authorization for all of them.
Service-to-service authorizations for the Enterprise Source service - resource type Target service - resource type Dependent service user role IBM Cloud Backup for VPC Block Storage for VPC Operator IBM Cloud Backup for VPC Block Storage Snapshots for VPC Editor IBM Cloud Backup for VPC Multi Volume Snapshots for VPC Editor IBM Cloud Backup for VPC Virtual Server for VPC Operator IBM Cloud Backup for VPC IBM Cloud Backup for VPC Editor -
Click Next.
-
Select the role. See Table 2 for the appropriate role.
-
Click Review and inspect your choices.
-
Click Authorize.
-
When you are returned to the Manage authorizations page, click Create again and follow the same steps to set up authorizations for the remaining services.
Enabling service-to-service authorization for Event Notifications
To create a service-to-service authorization policy for Event Notifications, follow this procedure:
- In the IBM Cloud console, go to Manage > Access (IAM).
- From the side panel, select Authorizations.
- On the Manage authorizations page, click Create.
- In the Source section, select the Source account. As you're setting up authorization for the Backup service in your account, select This account. Click Next.
- For the source service, select VPC Infrastructure Services from the list. Click Next.
- Select the scope by clicking Specific resources.
- Click Select an attribute and from the list, select Resource type.
- In the next field, select IBM Cloud Backup for VPC.
- Click Next.
- Select Event Notifications as the target service. Click Next.
- Select the scope by clicking Specific resources.
- Click Select an attribute.
- Click serviceInstance.
- In the next field, select string equals.
- In the next field, select the Event Notifications service instance that you want to authorize.
- Select the Event Source Manager role.
- Click Review and inspect your choices.
- Click Authorize.
Creating authorization policies from the CLI
Enabling service-to-service authorization for volume backups at the account level
To use Backup for VPC in your account to create policies, plans and run backup jobs for block storage volumes, create the following service-to-service authorizations:
backup-policy
(source) toinstance
(target) with Operator rolebackup-policy
(source) tovolume
(target) with Operator rolebackup-policy
(source) tosnapshot
(target) with Editor rolebackup-policy
(source) tosnapshot-consistency-group
(target) with Editor role
- Create four JSON files with the following information for the authorization policies.
- Instance service:
{ "type":"authorization", "subjects": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","value":"is"}, {"name":"resourceType","value":"backup-policy"}]}], "roles": [{"role_id":"crn:v1:bluemix:public:iam::::role:Operator"}], "resources": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is"}, {"name":"instanceId","operator":"stringEquals","value":"*"}]}] }
- Block Storage volume service:
{ "type":"authorization", "subjects": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","value":"is"}, {"name":"resourceType","value":"backup-policy"}]}], "roles": [{"role_id":"crn:v1:bluemix:public:iam::::role:Operator"}], "resources": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is"}, {"name":"volumeId","operator":"stringEquals","value":"*"}]}] }
- Block Storage snapshot service:
{ "type":"authorization", "subjects": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","value":"is"}, {"name":"resourceType","value":"backup-policy"}]}], "roles": [{"role_id":"crn:v1:bluemix:public:iam::::role:Editor"}], "resources": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is"}, {"name":"snapshotId","operator":"stringEquals","value":"*"}]}] }
- Snapshot consistency group:
{ "type":"authorization", "subjects": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","value":"is"}, {"name":"resourceType","value":"backup-policy"}]}], "roles": [{"role_id":"crn:v1:bluemix:public:iam::::role:Editor"}], "resources": [ {"attributes": [ {"name":"accountId","value":"ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is"}, {"name":"snapshotConsistencyGroupId","operator":"stringEquals","value":"*"}]}] }
- Instance service:
- Then, use the JSON files to run the following CLI command.
ibmcloud iam authorization-policy-create --file ~/Documents/policy.json
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating cross-account authorization for volume backups for the Enterprise
To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.
Run the ibmcloud iam authorization-policy-create
command with one of the following options: --source-service-account
, --source-service-instance-name
, or --source-service-instance-id
to identify
the enterprise account as the source. To get the enterprise account ID, you can run the following command.
ibmcloud enterprise show
Then, use the account ID to authorize the Enterprise account's backup service instance to interact with the child account's backup, snapshot, volume, and instance services.
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type backup-policy --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type snapshot --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type volume --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type snapshot-consistency-group --source-service-account ACCOUNT_ID
ibmcloud iam authorization-policy-create is is Editor --source-resource-type backup-policy --target-resource-type instance --source-service-account ACCOUNT_ID
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Enabling service-to-service authorization for Event Notifications
To create a service-to-service authorization policy for Event Notifications, use the authorization-policy-create
command.
ibmcloud iam authorization-policy-create is event-notification EventSourceManager --source-resource-type backup-policy --target-resource-instance $en-instance-ID
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.
Creating authorization policies with the API
Enabling service-to-service authorization for volume backups at the account level
To use Backup for VPC in your account to create policies, plans and run backup jobs for block storage volumes, create the following service-to-service authorizations:
is.backup-policy
(source) tois.instance
(target) with operator role.is.backup-policy
(source) tois.volume
(target) with operator role.is.backup-policy
(source) tois.snapshot
(target) with editor role.is.backup-policy
(source) tois.snapshot-consistency-group
with editor role
Make the request to the IAM Policy Management API, similar to the following examples.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type":"access",
"description":"Operator role for the Backup service to the Virtual Server service",
"subjects": [
{"attributes": [
{"name":"serviceName","value":"is"},
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"resourceType","value":"backup-policy"}]
}
],
"roles":[
{"role_id":"crn:v1:bluemix:public:iam::::role:Operator"}
],
"resources":[
{"attributes":[
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"serviceName","operator":"stringEquals","value":"is"},
{"name":"instanceId","operator":"stringEquals","value":"*"}]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type":"access",
"description":"Operator role for the Backup service to the Cloud Block Storage",
"subjects":[
{"attributes":[
{"name":"serviceName","value":"is"},
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"resourceType","value":"backup-policy"}]
}],
"roles":[
{"role_id":"crn:v1:bluemix:public:iam::::role:Operator"}
],
"resources":[
{"attributes": [
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"serviceName","operator":"stringEquals","value":"is.volume"},
{"name":"volumeId","operator":"stringEquals","value":"*"}
]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type":"access",
"description":"Editor role for the Backup service to Block Storage Snapshots",
"subjects": [
{"attributes": [
{"name":"serviceName","value":"is"},
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"resourceType","value":"backup-policy"}]
}
],
"roles":[
{"role_id":"crn:v1:bluemix:public:iam::::role:Editor"}
],
"resources":[
{"attributes": [
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"serviceName","operator":"stringEquals","value":"is"},
{"name":"snapshotId","operator":"stringEquals","value":"*"}]
}
]
}'
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type":"access",
"description":"Editor role for the Backup service to the Snapshot consistency groups",
"subjects": [
{"attributes": [
{"name":"serviceName","value":"is"},
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"resourceType","value":"backup-policy"}]
}
],
"roles":[
{"role_id":"crn:v1:bluemix:public:iam::::role:Editor"}
],
"resources":[
{"attributes":[
{"name":"accountId","value":"$ACCOUNT_ID"},
{"name":"serviceName","operator":"stringEquals","value":"is"},
{"name":"snapshotConsistencyGroupId","operator":"stringEquals","value":"*"}]
}
]
}'
For more information, see the api spec for IAM Policy Management.
Creating cross-account authorization for volume backups for the Enterprise
To allow an Enterprise administrator to manage backups centrally, the subaccounts must provide authorization for the Backup service of the Enterprise account to interact with the resources of the child accounts.
-
Make an API request to the Enterprise Management API to get the account ID of the parent enterprise account.
curl -X GET "https://enterprise.cloud.ibm.com/v1/enterprises" -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json'
-
Then, make the requests to the IAM Policy Management API to create the service-to-service authorizations for the
is.backup-policy
of enterprise account to interact with the child account'sis.backup
,is.snapshot
,is.volume
,is.snapshot-consistency-group
, andis.instance
services.- Authorize
is.backup-policy
(source) to interact withis.backup-policy
(target) with the editor role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type":"access", "description":"Editor role for the Enterprise account's backup service to interact with this account's backup service.", "subjects": [ {"attributes": [ {"name":"serviceName","value":"is"}, {"name":"accountId","value":"$ENTERPRISE_ACCOUNT_ID"}, {"name":"resourceType","value":"backup-policy"}] } ], "roles":[ {"role_id":"crn:v1:bluemix:public:iam::::role:Editor"} ], "resources":[ {"attributes":[ {"name":"accountId","value":"$SUB_ACCOUNT_ID","operator":"stringEquals"}, {"name":"serviceName","operator":"stringEquals","value":"is"}, {"name":"backupPolicyId","operator":"stringEquals","value":"*"}] } ] }'
- Authorize
is.backup-policy
(source) to interact withis.volume
(target) with the operator role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type":"access", "description":"Operator role for the Enterprise account's backup service to interact with this account's volume service", "subjects": [ { "attributes": [ {"name":"serviceName","value":"is"}, {"name":"accountId","value":"$ENTERPRISE_ACCOUNT_ID"}, {"name":"resourceType","value":"backup-policy"}] } ], "roles":[ {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"} ], "resources":[ {"attributes": [ {"name":"accountId","value":"$SUB_ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is.volume"}, {"name":"volumeId","operator":"stringEquals","value":"*"}] } ] }'
- Authorize
is.backup-policy
(source) to interact withis.snapshot
(target) with the editor role.
curl -X POST 'https://iam.test.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type":"access", "description":"Editor role for the Enterprise account's backup service to interact with this account's snapshots", "subjects":[ { "attributes":[ {"name":"serviceName","value":"is"}, {"name":"accountId","value":"$ENTERPRISE_ACCOUNT_ID"}, {"name":"resourceType","value":"backup-policy"}] } ], "roles":[ {"role_id":"crn:v1:bluemix:public:iam::::role:Editor"} ], "resources":[ {"attributes": [ {"name":"accountId","value":"$SUB_ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is"}, {"name":"snapshotId","operator":"stringEquals","value":"*"}] } ] }'
- Authorize
is.backup-policy
(source) to interact withis.instance
(target) with the operator role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{ "type":"access", "description":"Operator role for the Enterprise account's backup service to interact with this account's virtual server instance service", "subjects": [ {"attributes": [ {"name":"serviceName","value":"is"}, {"name":"accountId","value":"$ENTERPRISE_ACCOUNT_ID"}, {"name":"resourceType","value":"backup-policy"}] } ], "roles":[ {"role_id" "crn:v1:bluemix:public:iam::::role:Operator"} ], "resources":[ {"attributes": [ {"name":"accountId","value":"$SUB_ACCOUNT_ID"}, {"name":"serviceName","operator":"stringEquals","value":"is.volume"}, {"name":"instanceId","operator":"stringEquals", "value":"*"}] } ] }'
- Authorize
For more information, see the api spec for IAM Policy Management.
Enabling service-to-service authorization for Event Notifications
To create a service-to-service authorization policy for Event Notifications, make an API request to grantis.backup-policy
(source) access to event-notification
(target) with the EventSourceManager
role.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H
'Authorization: Bearer $TOKEN' -H
'Content-Type: application/json' -d
'{
"type":"access",
"description":"Event Source Manager role for the backup service to interact with the Event notification service",
"subjects": [
{"attributes": [
{"name":"serviceName","value":"is"},
{"name":"resourceType","value":"backup-policy"}]
}
],
"roles":[
{"role_id" "crn:v1:bluemix:public:iam::::role:EventSourceManager"}
],
"resources":[
{"attributes": [
{"name":"serviceName","operator":"stringEquals","value":"event-notification"},
{"name":"instanceId","operator":"stringEquals", "value":"<en-instance-ID>"}]
}
]
}'
Creating authorization policies with Terraform
Enabling service-to-service authorization for volume backups at the account level
Create an authorization policy between services by using the ibm_iam_authorization_policy
resource argument in your main.tf
file.
resource "ibm_iam_authorization_policy" "policy1" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "volumeId"
operator = "stringExists"
value = "true"
}
roles = ["Operator"]
}
resource "ibm_iam_authorization_policy" "policy2" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "snapshotId"
operator = "stringExists"
value = "true"
}
roles = ["Editor"]
}
resource "ibm_iam_authorization_policy" "policy3" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "snapshotConsistencyGroupId"
operator = "stringExists"
value = "true"
}
roles = ["Editor"]
}
resource "ibm_iam_authorization_policy" "policy4" {
subject_attributes {
name = "accountId"
value = data.ibm_iam_account_settings.iam.account_id
}
subject_attributes {
name = "serviceName"
value = "is"
}
subject_attributes {
name = "resourceType"
value = "backup-policy"
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "is"
}
resource_attributes {
name = "instanceId"
operator = "stringExists"
value = "true"
}
roles = ["Operator"]
}
For more information about the arguments and attributes, see the Terraform documentation for authorization resources.
Enabling service-to-service authorization for Event Notifications
To create a service-to-service authorization policy for Event Notifications, use the ibm_iam_authorization_policy
resource argument in your main.tf
file.
resource "ibm_iam_authorization_policy" "en-policy" {
source_service_name = "is"
source_resource_type = "backup-policy"
source_resource_instance_id = ibm_backup-policy_instance.instance.guid
target_service_name = "event-notification"
target_resource_instance_id = ibm_event-notification_instance.instance.guid
roles = ["EventSourceManager"]
}
For more information about the arguments and attributes, see the Terraform documentation for authorization resources.