openshift-docs/modules/installation-ibm-cloud-iam-policies-api-key.adoc

// Module included in the following assemblies:
//
// installing/installing_ibm_cloud/installing-ibm-cloud-account.adoc
// installing/installing_ibm_powervs/installing-ibm-cloud-account-power-vs.adoc

ifeval::["{context}" == "installing-ibm-cloud-account"]
:ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-account-power-vs"]
:ibm-power-vs:
endif::[]

:_mod-docs-content-type: CONCEPT
[id="installation-ibm-cloud-iam-policies-api-key_{context}"]
= {ibm-cloud-title} IAM Policies and API Key

To install {product-title} into your {ibm-cloud-name} account, the installation program requires an IAM API key, which provides authentication and authorization to access {ibm-cloud-name} service APIs. You can use an existing IAM API key that contains the required policies or create a new one.

For an {ibm-cloud-name} IAM overview, see the {ibm-cloud-name} link:https://cloud.ibm.com/docs/account?topic=account-iamoverview[documentation].

ifdef::ibm-vpc[]
[id="required-access-policies-ibm-cloud_{context}"]
== Required access policies

You must assign the required access policies to your {ibm-cloud-name} account.

.Required access policies
[cols="1,2,2,2,3",options="header"]
|===
|Service type |Service |Access policy scope |Platform access |Service access

|Account management
|IAM Identity Service
|All resources or a subset of resources ^[1]^
|Editor, Operator, Viewer, Administrator
|Service ID creator

|Account management ^[2]^
|Identity and Access Management
|All resources
|Editor, Operator, Viewer, Administrator
|

|Account management
|Resource group only
|All resource groups in the account
|Administrator
|

|IAM services
|Cloud Object Storage
|All resources or a subset of resources ^[1]^
|Editor, Operator, Viewer, Administrator
|Reader, Writer, Manager, Content Reader, Object Reader, Object Writer

|IAM services
|Internet Services
|All resources or a subset of resources ^[1]^
|Editor, Operator, Viewer, Administrator
|Reader, Writer, Manager

|IAM services
|DNS Services
|All resources or a subset of resources ^[1]^
|Editor, Operator, Viewer, Administrator
|Reader, Writer, Manager


|IAM services
|VPC Infrastructure Services
|All resources or a subset of resources ^[1]^
|Editor, Operator, Viewer, Administrator
|Reader, Writer, Manager
|===
[.small]
--
1. The policy access scope should be set based on how granular you want to assign access. The scope can be set to *All resources* or *Resources based on selected attributes*.
2. Optional: This access policy is only required if you want the installation program to create a resource group. For more information about resource groups, see the {ibm-name} link:https://cloud.ibm.com/docs/account?topic=account-rgs[documentation].
--
//TODO: IBM confirmed current values in the table above. They hope to provide more guidance on possibly scoping down the permissions (related to resource group actions).
endif::ibm-vpc[]

ifdef::ibm-power-vs[]
[id="pre-requisite-permissions-ibm-cloud_{context}"]
== Pre-requisite permissions

.Pre-requisite permissions
[cols="1,2",options="header"]
|===
|Role |Access

|Viewer, Operator, Editor, Administrator, Reader, Writer, Manager
|Internet Services service in <resource_group> resource group

|Viewer, Operator, Editor, Administrator, User API key creator, Service ID creator
|IAM Identity Service service

|Viewer, Operator, Administrator, Editor, Reader, Writer, Manager, Console Administrator
|VPC Infrastructure Services service in <resource_group> resource group

|Viewer
|Resource Group: Access to view the resource group itself. The resource type should equal `Resource group`, with a value of <your_resource_group_name>.
|===

[id="cluster-creation-permissions-ibm-cloud_{context}"]
== Cluster-creation permissions

.Cluster-creation permissions
[cols="1,2",options="header"]
|===
|Role |Access

|Viewer
|<resource_group> (Resource Group Created for Your Team)

|Viewer, Operator, Editor, Reader, Writer, Manager
|All Identity and IAM enabled services in Default resource group

|Viewer, Reader
|Internet Services service

|Viewer, Operator, Reader, Writer, Manager, Content Reader, Object Reader, Object Writer, Editor
|Cloud Object Storage service

|Viewer
|Default resource group: The resource type should equal `Resource group`, with a value of `Default`. If your account administrator changed your account's default resource group to something other than Default, use that value instead.

|Viewer, Operator, Editor, Reader, Manager
|Workspace for {ibm-power-server-name} service in <resource_group> resource group

|Viewer, Operator, Editor, Reader, Writer, Manager, Administrator
|Internet Services service in <resource_group> resource group: CIS functional scope string equals reliability

|Viewer, Operator, Editor
|Transit Gateway service

|Viewer, Operator, Editor, Administrator, Reader, Writer, Manager, Console Administrator
|VPC Infrastructure Services service <resource_group> resource group
|===
endif::ibm-power-vs[]

[id="access-policy-assignment-ibm-cloud_{context}"]
== Access policy assignment

ifdef::ibm-vpc[]
In {ibm-cloud-name} IAM, access policies can be attached to different subjects:
endif::ibm-vpc[]
ifdef::ibm-power-vs[]
In {ibm-cloud-name} IAM, access policies can be attached to different subjects:
endif::ibm-power-vs[]

* Access group (Recommended)
* Service ID
* User

The recommended method is to define IAM access policies in an link:https://cloud.ibm.com/docs/account?topic=account-groups[access group]. This helps organize all the access required for {product-title} and enables you to onboard users and service IDs to this group. You can also assign access to link:https://cloud.ibm.com/docs/account?topic=account-assign-access-resources[users and service IDs] directly, if desired.

ifeval::["{context}" == "installing-ibm-cloud-account"]
:!ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-account-power-vs"]
:!ibm-power-vs:
endif::[]