| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2020-06-15 |
grant access to keys |
key-protect |
{:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:external: target="_blank" .external} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:term: .term}
{: #grant-access-keys}
You can enable different levels of access to {{site.data.keyword.keymanagementservicelong}} resources in your {{site.data.keyword.cloud_notm}} account by creating and modifying {{site.data.keyword.cloud_notm}} IAM access policies. {: shortdesc}
As an account admin, determine an access policy type{: external} for users, service IDs, and access groups{: term} based on your internal access control requirements. For example, if you want to grant user access to {{site.data.keyword.keymanagementserviceshort}} at the smallest scope available, you can assign access to a single key in an instance.
{: #grant-access-instance-level}
You can grant access to keys within a {{site.data.keyword.keymanagementserviceshort}} service instance by using the {{site.data.keyword.cloud_notm}} console.
Review roles and permissions to learn how {{site.data.keyword.cloud_notm}} IAM roles map to {{site.data.keyword.keymanagementserviceshort}} actions. {: tip}
To assign access:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select a table row, and click the ⋯ icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Assign users additional access.
- Click the IAM services button.
- From the list of services, select {{site.data.keyword.keymanagementserviceshort}}.
- From the list of service instances, select a {{site.data.keyword.keymanagementserviceshort}} service instance that you want to grant access to.
- Choose a combination of platform and service access roles to assign access for the user.
- Click Add.
- Continue to add platform and service access roles as needed and when you are finished, click Assign.
{: caption="Figure 1. Shows how to grant user access to an instance." caption-side="bottom"}
{: #grant-access-key-level}
You can also assign access to a single key in a {{site.data.keyword.keymanagementserviceshort}} service instance.
{: #access-key-retrieve-ID}
Retrieve the unique identifer that's associated with the key that you want to grant someone access to.
To get the ID for a specific key, you can:
- Access the {{site.data.keyword.keymanagementserviceshort}} GUI to browse the keys that are stored in your service instance.
- Use the {{site.data.keyword.keymanagementserviceshort}} API to retrieve a list of your keys, along with metadata about the keys.
{: #access-key-create-policy}
Use the retrieved key ID to create a access policy:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select a table row, and click the ⋯ icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Assign users additional access.
- From the list of services, select {{site.data.keyword.keymanagementserviceshort}}.
- From the list of service instances, select the {{site.data.keyword.keymanagementserviceshort}} service instance that contains the key that you want to grant access to.
- Enter identifying information about the key.
- For Resource type, enter the word "key".
- For Resource ID, enter the ID that was assigned to your key by the {{site.data.keyword.keymanagementserviceshort}} service.
- Choose a combination of platform and service access roles to assign access for the user.
- Click Add.
- Continue to add platform and service access roles as needed and when you are finished, click Assign.
{: caption="Figure 2. Shows how to grant user access to a key." caption-side="bottom"}