To import a custom image to IBM Cloud VPC, or to export a custom image from IBM Cloud VPC, you must have an instance of IBM Cloud® Object Storage available. You must also create a bucket in IBM Cloud Object Storage to store your images. Finally,
you must create an authorization so that the Image Service for VPC can access IBM Cloud Object Storage.
Creating an authorization
To authorize the Image Service for VPC to access the target service, IBM Cloud Object Storage, you must create an authorization. To import an image, you must specify the Reader service access
role for IBM Cloud Object Storage. To export an image, you must specify the Writer service access role for IBM Cloud Object Storage. With both Reader and Writer service access roles for IBM Cloud Object Storage, you can both import and export
images.
Granting Reader and Writer access with the UI
Complete the following steps to create an authorization for the Image Service for VPC to both import images from an IBM Cloud Object Storage service instance and export images to an IBM Cloud Object Storage service instance.
-
From the IBM Cloud console menu bar, click Manage > Access (IAM), and select Authorizations.
-
On the Manage authorizations page, click Create.
-
Make your selection for the Source account. By default This account is selected.
-
Select a source service for the authorization. Specify VPC Infrastructure Services as the source service.
- For How do you want to scope the access?, select Resources based on selected attributes.
- For Add attributes, select Resource type.
- For Resource type, select Image Service for VPC.
-
For the Target service, select Cloud Object Storage. For How do you want to scope the access?, you can use the default selection All resources.
If you want to scope the access to a specific resource within IBM Cloud Object Storage, you can select Resources based on selected attributes. Then make selections to narrow the access according to your preferences.
-
For the service access roles, select Reader and Writer.
-
Click Authorize.
For more information, see Using authorizations to grant access between services.
Granting Reader and Writer access to all buckets from the CLI
To grant both Reader
and Writer
access to all buckets in IBM Cloud Object Storage, run the iam authorization-policy-create
command. The following command authorizes the Image Service for VPC to both import
images from any bucket in an IBM Cloud Object Storage service instance and export images to any bucket in an IBM Cloud Object Storage service instance.
ibmcloud iam authorization-policy-create is cloud-object-storage Reader,Writer --source-resource-type image
For more information, see ibmcloud iam authorization-policy-create
.
Granting access to a specific bucket from the CLI
You can choose to grant authorization to a specific bucket in IBM Cloud Object Storage. The following example describes how to grant Reader
access to a specific bucket for importing images from IBM Cloud Object Storage. To export
an image to IBM Cloud Object Storage, you must also grant Writer
access.
Before you run the command you need to know the GUID for the IBM Cloud Object Storage service instance.
-
Use the ibmcloud resource service-instance
command to obtain the GUID. See the following example:
$ ibmcloud resource service-instance cos-fs-cloud-us-south
Retrieving service instance cos-fs-cloud-us-south in all resource groups under account Test Account as test.user@ibm.com...
OK
Name: cos-fs-cloud-us-south
ID: crn:v1:bluemix:public:cloud-object-storage:global:a/a1234567:0e4a33e6-973e-42b6-bea4-ce1b3aebe163::
GUID: 0e4a33e6-973e-42b6-bea4-ce1b3aebe163
Location: global
Service Name: cloud-object-storage
Service Plan Name: standard
Resource Group Name: defaults
State: active
Type: service_instance
Sub Type:
Locked: false
Created at: 2021-07-27T14:40:45Z
Created by: IBMid-12345678
Updated at: 2021-07-27T14:40:47Z
Last Operation:
Status create succeeded
Message Completed create instance operation
-
Run the following command and replace $COS_INSTANCE_GUID
with the GUID
value.
ibmcloud iam authorization-policy-create is cloud-object-storage Reader --source-resource-type image --target-service-instance-id $COS_INSTANCE_GUID
A successful response looks like the following example:
$ ibmcloud iam authorization-policy-create is cloud-object-storage Reader --source-resource-type image --target-service-instance-id 0e4a33e6-973e-42b6-bea4-ce1b3aebe163
Creating authorization policy under account a1234567 as test.user@ibm.com...
OK
Authorization policy 0bbcb168-bf7b-4ebf-9684-769f1d7e80e7 was created.
ID: 0bbcb168-bf7b-4ebf-9684-769f1d7e80e7
Source service name: is
Source service instance: All instances
Source resource type: image
Target service name: cloud-object-storage
Target service instance: 0e4a33e6-973e-42b6-bea4-ce1b3aebe163
Roles: Reader
For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create
.
Granting access with the API
To authorize a source service access to a target service, use the IAM Policy Management API. See the following API example for Create a policy method with the type=authorization
specified. All of the possible attributes are listed.
The supported attributes for creating an authorization policy depend on what each service supports. For more information about the supported attributes for each service, refer to the documentation for the services that you're using.
The example shows an authorization policy for the Image Service for VPC to access IBM Cloud Object Storage.
curl --location --request POST 'https://iam.cloud.ibm.com/v1/policies' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <iam token>' \
--data-raw '{
"type": "authorization",
"subjects": [
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "is"
},
{
"name": "resourceType",
"value": "image"
}
]
}
],
"roles": [
{
"role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
},
{
"role_id": "crn:v1:bluemix:public:iam::::serviceRole:Writer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "cloud-object-storage"
}
]
}
]
}'