IBM Cloud Docs
Granting access to IBM Cloud Object Storage to import and export images

Granting access to IBM Cloud Object Storage to import and export images

To import a custom image to IBM Cloud VPC, or to export a custom image from IBM Cloud VPC, you must have an instance of IBM Cloud® Object Storage available. You must also create a bucket in IBM Cloud Object Storage to store your images. Finally, you must create an authorization so that the Image Service for VPC can access IBM Cloud Object Storage.

Creating an IBM Cloud Object Storage service instance

If you need to create an instance of IBM Cloud Object Storage, see Getting started with IBM Cloud Object Storage.

From IBM Cloud Identity and Access Management, you must create an authorization so that the Image Service for VPC can access IBM Cloud Object Storage.

Creating an authorization

To authorize the Image Service for VPC to access the target service, IBM Cloud Object Storage, you must create an authorization. To import an image, you must specify the Reader service access role for IBM Cloud Object Storage. To export an image, you must specify the Writer service access role for IBM Cloud Object Storage. With both Reader and Writer service access roles for IBM Cloud Object Storage, you can both import and export images.

Granting Reader and Writer access with the UI

Complete the following steps to create an authorization for the Image Service for VPC to both import images from an IBM Cloud Object Storage service instance and export images to an IBM Cloud Object Storage service instance.

  1. From the IBM Cloud console menu bar, click Manage > Access (IAM), and select Authorizations.

  2. On the Manage authorizations page, click Create.

  3. Make your selection for the Source account. By default This account is selected. Click Next.

  4. Select a source service for the authorization. Specify VPC Infrastructure Services as the source service. Click Next.

  5. For Resources, make your selection for how you want to scope the access.

    1. Select Specific resources.
    2. For Specific resources, select Resource type and Image service for VPC.
    3. Click Next.

  6. For the Target service, select Cloud Object Storage. Click Next.

  7. For Resources, specify how you want to scope the access. You can use the default selection All resources. Click Next.

    If you want to scope the access to a specific resource within IBM Cloud Object Storage, you can select Resources based on selected attributes. Then make selections to narrow the access according to your preferences.

  8. For Roles, select both service access roles, Reader and Writer.

  9. Click Review to ensure your selections look correct.

  10. Click Authorize.

For more information, see Using authorizations to grant access between services.

Granting Reader and Writer access to all buckets from the CLI

To grant both Reader and Writer access to all buckets in IBM Cloud Object Storage, run the iam authorization-policy-create command. The following command authorizes the Image Service for VPC to both import images from any bucket in an IBM Cloud Object Storage service instance and export images to any bucket in an IBM Cloud Object Storage service instance.

ibmcloud iam authorization-policy-create is cloud-object-storage Reader,Writer --source-resource-type image

For more information, see ibmcloud iam authorization-policy-create.

Granting access to a specific bucket from the CLI

You can choose to grant authorization to a specific bucket in IBM Cloud Object Storage. The following example describes how to grant Reader access to a specific bucket for importing images from IBM Cloud Object Storage. To export an image to IBM Cloud Object Storage, you must also grant Writer access.

Before you run the command you need to know the GUID for the IBM Cloud Object Storage service instance.

  1. Use the ibmcloud resource service-instance command to obtain the GUID. See the following example:

    $ ibmcloud resource service-instance cos-fs-cloud-us-south
Retrieving service instance cos-fs-cloud-us-south in all resource groups under account Test Account as test.user@ibm.com...
OK

Name:                  cos-fs-cloud-us-south
ID:                    crn:v1:bluemix:public:cloud-object-storage:global:a/a1234567:0e4a33e6-973e-42b6-bea4-ce1b3aebe163::
GUID:                  0e4a33e6-973e-42b6-bea4-ce1b3aebe163
Location:              global
Service Name:          cloud-object-storage
Service Plan Name:     standard
Resource Group Name:   defaults
State:                 active
Type:                  service_instance
Sub Type:
Locked:                false
Created at:            2021-07-27T14:40:45Z
Created by:            IBMid-12345678
Updated at:            2021-07-27T14:40:47Z
Last Operation:
                       Status    create succeeded
                       Message   Completed create instance operation

  2. Run the following command and replace $COS_INSTANCE_GUID with the GUID value.

    ibmcloud iam authorization-policy-create is cloud-object-storage Reader --source-resource-type image --target-service-instance-id $COS_INSTANCE_GUID

    A successful response looks like the following example:

    $ ibmcloud iam authorization-policy-create is cloud-object-storage Reader --source-resource-type image --target-service-instance-id 0e4a33e6-973e-42b6-bea4-ce1b3aebe163
Creating authorization policy under account a1234567 as test.user@ibm.com...
OK
Authorization policy 0bbcb168-bf7b-4ebf-9684-769f1d7e80e7 was created.

ID:                        0bbcb168-bf7b-4ebf-9684-769f1d7e80e7
Source service name:       is
Source service instance:   All instances
Source resource type:      image
Target service name:       cloud-object-storage
Target service instance:   0e4a33e6-973e-42b6-bea4-ce1b3aebe163
Roles:                     Reader

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

Granting access with the API

To authorize a source service access to a target service, use the IAM Policy Management API. See the following API example for Create a policy method with the type=authorization specified. All of the possible attributes are listed.

The supported attributes for creating an authorization policy depend on what each service supports. For more information about the supported attributes for each service, refer to the documentation for the services that you're using.

The example shows an authorization policy for the Image Service for VPC to access IBM Cloud Object Storage.

curl --location --request POST 'https://iam.cloud.ibm.com/v1/policies' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <iam token>' \
--data-raw '{
    "type": "authorization",
    "subjects": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "$ACCOUNT_ID"
                },
                {
                    "name": "serviceName",
                    "value": "is"
                },
                {
                    "name": "resourceType",
                    "value": "image"
                }
            ]
        }
    ],
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
        },
        {
            "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Writer"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "$ACCOUNT_ID"
                },
                {
                    "name": "serviceName",
                    "value": "cloud-object-storage"
                }
            ]
        }
    ]
}'

Next steps

When you've completed these steps so that Image Service for VPC can access images in IBM Cloud Object Storage or export images to IBM Cloud Object Storage, continue with one of the following topics: