IBM Cloud Docs
Establishing service-to-service authorizations for File Storage for VPC

Establishing service-to-service authorizations for File Storage for VPC

You can use the Cloud Identity and Access Management (IAM) to create or remove an authorization that grants one service access to another service. For File Storage for VPC, you need to create service-to-service authorization for configuring customer-managed encryption and setting up cross-region replication.

Overview

In an authorization, the source service is the service that is granted access to the target service. The roles that you select define the level of access for the source service. The target service is the service that you are granting permission to be accessed by the source service based on the roles that you assign. Generally, a source service can be in the same account where the authorization is created or in another account. The target service is always in the account where the authorization is created.

To be able to create an encrypted file share with customer-managed CRKs, you need to establish service-to-service authorization between the File service and the Key Management Service of your choice. The instructions to create the service-to-service authorization are provided in this topic.

For cross-region replication, you need to establish service-to-service authorizations and specify user roles. for the various File service instances in different VPCs. This authorization enables the File service in one VPC to interact with the File service of another VPC. Both VPCs must belong to the same account. Cross-account replication is not supported. For more information, see Replication overview.

For more information about authorizations, see Using authorizations to grant access between services.

Creating service-to-service authorization for customer-managed encryption in the UI

  1. In the IBM Cloud console, go to Manage > Access (IAM).
  2. From the side panel, select Authorizations.
  3. On the Manage authorizations page, click Create.
  4. In the Source section, select the Source account.
    • If the goal is to allow the use of a CRK from another account, select Specific account and enter the 32-character-long account ID. Then, click Next.
    • Otherwise, select This account. Then, click Next.
  5. For the source service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select File Storage for VPC.
    5. Click Next.
  6. For the target service, select Hyper Protect Crypto Services or KeyProtect from the list. Click Next.
  7. Select the role Reader.
  8. Check the box to enable authorization to be delegated by source and dependent services.
  9. Click Review and inspect your choices.
  10. Click Authorize.

Creating service-to-service authorization for cross-region replication in the UI

  1. In the IBM Cloud console, go to Manage > Access (IAM).
  2. From the side panel, select Authorizations.
  3. On the Manage authorizations page, click Create.
  4. In the Source section, select the Source account. Select This account, and click Next.
  5. For the source service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select File Storage for VPC.
    5. Click Next.
  6. For the target service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select File Storage for VPC.
    5. Click Next.
  7. Select the role Editor.
  8. Click Review and inspect your choices.
  9. Click Authorize.

Creating service-to-service authorization for cross-account access in the UI

  1. In the IBM Cloud console, go to Manage > Access (IAM).
  2. From the side panel, select Authorizations.
  3. On the Manage authorizations page, click Create.
  4. In the Source section, select the Source account.
    • If you want to allow another account to access data on your file share, select Specific account and enter the 32-character-long account ID. Then, click Next.
    • If you want to create accessor shares in the same account, select This account. Then, click Next.
  5. For the source service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select File Storage for VPC.
    5. Click Next.
  6. For the target service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select File Storage for VPC.
    5. Click Add a condition.
    6. Click Select an attribute and select Share ID.
    7. Select the share from the list.
    8. Click Next.
  7. Select the role Share Broker.
  8. Click Review and inspect your choices.
  9. Click Authorize.

Creating service-to-service authorization for Watson Studio in the UI

  1. In the IBM Cloud console, go to Manage > Access (IAM).
  2. From the side panel, select Authorizations.
  3. On the Manage authorizations page, click Create.
  4. On the Grant a service authorization page, select This account.
  5. For the source service, select Watson Studio from the list.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Source service instance.
    4. In the next field, select all instances.
    5. Click Next.
  6. For the target service, select VPC Infrastructure Services from the list. Click Next.
    1. Select the scope by clicking Specific resources.
    2. Click Select an attribute.
    3. From the list, select Resource type.
    4. In the next field, select File Storage for VPC.
    5. Click Add a condition.
    6. Click Select an attribute and select Share ID.
    7. Leve the string equals field as it is.
    8. In the next field, select the origin share from the list.
    9. Click Next.
  7. Select the role Share Broker.
  8. Check the box to enable authorization to be delegated by source and dependent services.
  9. Click Review and inspect your choices.
  10. Click Authorize.

Creating service-to-service authorization for customer-managed encryption from the CLI

Run the ibmcloud iam authorization-policy-create command to create authorization policies for the File service to interact with one or both Key Management Services (Key Protect or Hyper Protect Crypto Services). The source service is is with the --source-resource-type share and the target service is either kms or hs-crypto. The role that you need to assign is Reader. The following example creates an authorization policy between the File service and Key Protect.

$ ibmcloud iam authorization-policy-create is kms Reader --source-resource-type share
Creating authorization policy under account a1234567 as test.user@ibm.com...
OK

To list the service authorizations that are already in place for the account, run the ibmcloud iam authorization-policies command. The following example shows that the file shares can be encrypted with a CRK that is stored in Key Protect or Hyper Protect Crypto Services.

$ ibmcloud iam authorization-policies
Getting authorization policies under account a1234567 as test.user@ibm.com...
OK
                           
ID:                        8a2ef8a5-2e4c-46ea-b2e7-d4b0d0a0e1a5
Source service name:       is
Source service instance:   All instances
Source resource type:      share
Target service name:       hs-crypto
Target service instance:   All instances
Roles:                     Reader
                           
ID:                        d2df60ea-5575-4bd1-9cd6-f35c52576577
Source service name:       is
Source service instance:   All instances
Source resource type:      share
Target service name:       kms
Target service instance:   All instances
Roles:                     Authorization Delegator, Reader

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Creating service-to-service authorization for cross-account encryption from the CLI

Run the ibmcloud iam authorization-policy-create command to create authorization policies for the File service to interact with one or both Key Management Services (Key Protect or Hyper Protect Crypto Services). The source service is is with the --source-resource-type share and the target service is either kms or hs-crypto. The role that you need to assign is Reader. The following example creates an authorization policy between the File service and Key Protect.

  1. Create a JSON file with the following information for the authorization policies in your local Documents folder.
    '{
       "description":"Reader and Delegator role for HPCS service instance",
       "resources": [{"attributes": [
             {"name": "KeyOwnerAccountID","value": "a/a1234567","operator": "stringEquals"},
             {"name":"Hyper-Protect-Crypto-Services","operator":"stringEquals","value":"hs-crypto"}]}],   
       "roles": [
          {"role_id":"crn:v1:bluemix:public:iam::::role:AuthorizationDelegator"},
          {"role_id":"crn:v1:bluemix:public:iam::::serviceRole:Reader"}],
       "subjects": [
          {"name": "serviceName","value": "is"},
             {"name": "resourceType","value": "share"},
             {"name": "KeyUserAccountID","value": "a/a7654321>"}],
       "type":"authorization"
    }'
    
  2. Then, run the following CLI command with the JSON file to create the authorization policy.
    ibmcloud iam authorization-policy-create --file ~/Documents/policy.json
    
    The cross-account authorization is one-way and specific to key and service. When Account A authorizes their key to be used by Account B's file service, Account B can use Account A's CRK to encrypt Account B's shares. However, Account A cannot use Account B's root keys to encrypt Account A's shares.

Creating service-to-service authorization for cross-region replication from the CLI

Run the ibmcloud iam authorization-policy-create command to authorize the regional file services to work together.

ibmcloud iam authorization-policy-create is is Editor --source-resource-type share --target-resource-type share

See the following example.

$ ibmcloud iam authorization-policy-create is is Editor --source-resource-type share --target-resource-type share 
Creating authorization policy under account a1234567 as test.user@ibm.com...
OK
Authorization policy f311f255-d20e-49d0-aa94-316feaba981e was created.
                           
ID:                        f311f255-d20e-49d0-aa94-316feaba981e
Source service name:       is
Source service instance:   All instances
Source resource type:      share
Target service name:       is
Target service instance:   All instances
Target resource type:      share
Roles:                     Editor

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Creating service-to-service authorization for cross-account access from the CLI

As the share owner, create a JSON file and use it with the ibmcloud iam authorization-policy-create command to create the service-to-service authorization for the File Storage for VPC service of the share owner account (source) to access a share in accessor account (target).

  1. Create a JSON file with the following content. In this example, the file is created as the policy.json in the Documents folder.

    {
         "roles": [{"role_id": "crn:v1:bluemix:public:iam::::role:ShareBroker","display_name": "Share Broker",
                  "description": "As a share broker, you can create and delete share bindings"}],
         "resources": [{"attributes": [
             {"name": "accountId","value": "<origin share owner Account ID>","operator": "stringEquals"},
             {"name": "serviceName","value": "is","operator": "share"},
             {"name": "shareId","value": "<OriginShareId>","operator": "stringEquals"}]}],
         "type": "authorization",
         "description": "ShareBroker role for File Storage for VPC cross-account share access",
         "subjects": [{"attributes": [
             {"name": "serviceName","value": "is"},
             {"name": "resourceType","value": "share"},
             {"name": "accountId","value": "<accessor share Account ID>"}]}]
         }
    
  2. Then, run the CLI command with the JSON file to create the authorization policy.

    ibmcloud iam authorization-policy-create --file ~/Documents/policy.json
    

Creating service-to-service authorization for customer-managed encryption with the API

Make a request to the IAM Policy Management API to create the service-to-service authorization for the source share's file service to interact with a Key Management Service instance (Key Protect or Hyper Protect Crypto Services).

  • The following example shows how you can authorize the File service is.share (source) to interact with the Key Protect service kms (target) with the Reader role.

    curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 
    'Authorization: Bearer $TOKEN' -H 
    'Content-Type: application/json' -d 
    '{
      "type": "access",
      "description": "Reader role for the file service to interact with the KeyProtect service.",
      "subjects": [{"attributes": [{"name": "serviceName","value": "is"},{"name": "resourceType","value": "share"}]}],
      "roles":[{"role_id": "crn:v1:bluemix:public:iam::::role:Reader"}],
      "resources":[{"attributes": [{"name": "serviceName","value": "kms"}]}]
      }'
    
  • To create an authorization policy for Hyper Protect Crypto Services, replace kms with hs-crypto in the previous example.

Creating service-to-service authorization for cross-account encryption with the API

As the owner of the encryption key, make a request to the IAM Policy Management API to create the service-to-service authorization for the File Storage for VPC service of the source account to access the key management service of your account (target).

curl -X "POST" "https://iam.cloud.ibm.com/v1/policies" \
     -H "Authorization: <Auth Token>" \
     -H 'Content-Type: application/json' \
     -d '{
      "description":"Reader and Delegator role for HPCS service instance",
      "resources": [{"attributes": [
            {"name": "KeyOwnerAccountID","value": "a/a1234567","operator": "stringEquals"},
            {"name":"Hyper-Protect-Crypto-Services","operator":"stringEquals","value":"hs-crypto"}]}],   
      "roles": [
         {"role_id":"crn:v1:bluemix:public:iam::::role:AuthorizationDelegator"},
         {"role_id":"crn:v1:bluemix:public:iam::::serviceRole:Reader"}],
      "subjects": [
         {"name": "serviceName","value": "is"},
            {"name": "resourceType","value": "share"},
            {"name": "KeyUserAccountID","value": "a/a7654321>"}],
      "type":"authorization"
   }'

Creating service-to-service authorization for cross-region replication with the API

Make a request to the IAM Policy Management API to create the service-to-service authorization for the source share's regional file service to interact with the replica share's regional file service.

  • Authorize is.share (source) to interact with is.share (target) with the Editor role.

    curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 
    'Authorization: Bearer $TOKEN' -H 
    'Content-Type: application/json' -d 
    '{
      "type": "access",
      "description": "Editor role for the source share's regional file service to interact with replica share's regional file service.",
      "subjects": [{"attributes": [{"name": "serviceName","value": "is"},{"name": "resourceType","value": "share"}]}],
      "roles":[{"role_id": "crn:v1:bluemix:public:iam::::role:Editor"}],
      "resources":[{"attributes": [{"name": "serviceName","value": "is"},{"name": "resourceType","value": "share"}]}]
      }'
    

For more information, see the api spec for IAM Policy Management.

Creating service-to-service authorization for cross-account access with the API

As the share owner, make a request to the IAM Policy Management API to create the service-to-service authorization for the File Storage for VPC service of the origin share account (source) to access a share in accessor account (target).

curl -X "POST" "https://iam.cloud.ibm.com/v1/policies" \
     -H "Authorization: <Auth Token>" \
     -H 'Content-Type: application/json' \
     -d '{
        "roles": [{"role_id": "crn:v1:bluemix:public:iam::::role:ShareBroker","display_name": "Share Broker",
                 "description": "As a share broker, you can create and delete share bindings"}],
        "resources": [{"attributes": [
            {"name": "accountId","value": "<origin share owner Account ID>","operator": "stringEquals"},
            {"name": "serviceName","value": "is","operator": "share"},
            {"name": "shareId","value": "<OriginShareId>","operator": "stringEquals"}]}],
        "type": "authorization",
        "description": "ShareBroker role for File Storage for VPC cross-account share access",
        "subjects": [{"attributes": [
            {"name": "serviceName","value": "is"},
            {"name": "resourceType","value": "share"},
            {"name": "accountId","value": "<accessor share Account ID>"}]}]
        }'

Creating service-to-service authorization for customer-managed encryption with Terraform

Create an authorization policy between the file service and the key management services by using the ibm_iam_authorization_policy resource argument in your main.tf file.

The following example creates an authorization policy between the file service and Key Protect when applied.

resource "ibm_iam_authorization_policy" "mypolicy4keyprotect" {
  source_service_name  = "is"
  source_resource_type = "share"
  target_service_name  = "kms"
  roles                = ["Reader"]
}

The following example creates an authorization policy between the file service and Hyper Protect Crypto Services when applied.

resource "ibm_iam_authorization_policy" "mypolicy4HPCS" {
  source_service_name  = "is"
  source_resource_type = "share"
  target_service_name  = "hs-crypto"
  roles                = ["Reader"]
}

For more information about the arguments and attributes, see the Terraform documentation for authorization resources.

Creating service-to-service authorization for cross-account encryption with Terraform

  1. Terraform supports configuring two different accounts for IBM provider. The provider without an alias is considered the default provider. See the following example, where two IBM accounts are specified, and the second is given the alias team_account. That configuration is referred to as ibm.team_account later.

    terraform {
      required_providers {
        ibm = {
          source = "IBM-Cloud/ibm"
          version = ">= 1.12.0"
        }
      }
    }
    
    provider "ibm" {
      ibmcloud_api_key = var.ibmcloud_api_key
      region           = var.region
      ibmcloud_timeout = var.ibmcloud_timeout
    }
    
    provider "ibm" {
      alias = "team_account"
      ibmcloud_api_key = var.ibmcloud_api_key_second_account
      region           = var.region
      ibmcloud_timeout = var.ibmcloud_timeout
    } 
    

    For more information about the arguments and attributes, see IBM Cloud provider.

  2. To create the IAM authorization between the file share service from one account to the key management service in another account, use the resource ibm_iam_authorization_policy. The following example creates an authorization between the file service of one account and the Hyper Protect Crypto Services service of another account.

    resource "ibm_iam_authorization_policy" "policy1" {
     subject_attributes {
       name  = "accountId"
       value = data.ibm_iam_account_settings.iam.account_id
     }
     subject_attributes {
       name  = "serviceName"
       value = "is"
     }
     subject_attributes {
       name  = "resourceType"
       value = "share"
     }
     resource_attributes {
       name  = "accountId"
       value = data.ibm_iam_account_settings.iam.ibm.team_account_id
     }
     resource_attributes {
       name  = "Hyper-Protect-Crypto-Services"
       operator = "stringEquals"
       value = "hs-crypto"
     }
     roles   = ["Reader"]
     }
    

    The following example creates an authorization between the file service of one account and the Key Protect service of another account.

    resource "ibm_iam_authorization_policy" "policy" {
        source_service_name = "is"
        source_resource_type = "share"
        source_service_account = "<fileshare-account-id>"
        target_service_name = "kms"   
        target_resource_instance_id = ibm_kms_key.key.instance_id
        roles               = ["Reader"]
        description         = "Authorization Policy" 
    }
    

    This terraform resource must also include the provider alias (in our example, ibm.team_account) with the account ibmcloud_api_key where the encryption key is stored.

Creating service-to-service authorization for cross-region replication with Terraform

Create an authorization policy between the file services in the different regions by using the ibm_iam_authorization_policy resource argument in your main.tf file.

resource "ibm_iam_authorization_policy" "mypolicy" {
  source_service_name  = "is"
  source_resource_type = "share"
  target_service_name  = "is"
  target_resource_type = "share"
  roles                = ["Editor"]
}

For more information about the arguments and attributes, see the Terraform documentation for authorization resources.

Creating service-to-service authorization for cross-account access with Terraform

  1. Terraform supports configuring two different accounts for IBM provider. The provider without an alias is considered the default provider. See the following example, where two IBM accounts are specified, and the second is given the alias team_account. That configuration must be referred to as ibm.team_account later.

    terraform {
      required_providers {
        ibm = {
          source = "IBM-Cloud/ibm"
          version = ">= 1.12.0"
        }
      }
    }
    
    provider "ibm" {
      ibmcloud_api_key = var.ibmcloud_api_key
      region           = var.region
      ibmcloud_timeout = var.ibmcloud_timeout
    }
    
    provider "ibm" {
      alias = "team_account"
      ibmcloud_api_key = var.ibmcloud_api_key_second_account
      region           = var.region
      ibmcloud_timeout = var.ibmcloud_timeout
    } 
    

    For more information about the arguments and attributes, see IBM Cloud provider.

  2. To create the IAM authorization between the file share service from one account to the file share service in a different account, use the resource ibm_iam_authorization_policy. The following example creates an authorization between the file services of two accounts.

    resource "ibm_iam_authorization_policy" "policy" {
        source_service_name = "is"
        source_resource_type = "share"
        source_service_account = "<ShareOwner-Account-id>"
        target_service_name = "is"   
        target_resource_type = "share"
        target_service_account = "<Accessor-Account-id>"
        roles               = ["ShareBroker"]
        description         = "Authorization Policy" 
    }
    

    Or

    resource "ibm_iam_authorization_policy" "policy1" {
     subject_attributes {
       name  = "accountId"
       value = data.ibm_iam_account_settings.iam.account_id
     }
     subject_attributes {
       name  = "serviceName"
       value = "is"
     }
     subject_attributes {
       name  = "resourceType"
       value = "share"
     }
     resource_attributes {
       name  = "shareId"
       operator = "stringEquals"
       value = data.ibm_share_id
     }
     resource_attributes {
       name  = "serviceName"
       operator = "stringEquals"
       value = "is"
     }
     resource_attributes {
       name  = "volumeId"
       operator = "stringExists"
       value = "true"
     }
     roles   = ["ShareBroker"]
     }
    

    This terraform resource must also include the provider alias (in our example, ibm.team_account) with the account ibmcloud_api_key where the origin share is.

    For more information about the arguments and attributes, see ibm_iam_authorization_policy.

Next Steps