Merge pull request #396 from cloud-docs/show-other-acct-auths

Show authorizations in other accounts
MartinSmolny · Mar 25, 2022 · d406e02 · d406e02
2 parents be3e9e3 + 786558d
commit d406e02
Showing 1 changed file with 65 additions and 12 deletions.
diff --git a/iam-authorizations.md b/iam-authorizations.md
@@ -4,7 +4,7 @@ copyright:
 
   years: 2017, 2022
 
-lastupdated: "2022-03-04"
+lastupdated: "2022-03-22"
 
 keywords: authorizations, service to service access, access between services, dependent service, source service, target service, assigned access, access policies
 
@@ -20,11 +20,13 @@ subcollection: account
 Use {{site.data.keyword.Bluemix}} Identity and Access Management (IAM) to create or remove an authorization that grants one service access to another service. Use authorization delegation to automatically create access policies that grant access to dependent services.
 {: shortdesc}
 
-Many of the capabilities of the IAM system are focused on managing and enforcing user and application access to {{site.data.keyword.Bluemix_notm}} resources. However, there might be other scenarios in which you need to provide one service with access to a user's resource in another service. This type of access is called an authorization.
+Many of the capabilities of the IAM system are focused on managing and enforcing user and application access to {{site.data.keyword.Bluemix_notm}} resources. However, you might encounter other scenarios in which you need to provide one service with access to a user's resource in another service. This type of access is called an authorization.
+
+In an authorization, the source service is the service that is granted access to the target service. The roles that you select define the level of access for the source service. The target service is the service that you are granting permission to be accessed by the source service based on the roles that you assign. A source service can be in the same account where the authorization is created or in another account. The target service is always in the account where the authorization is created. You can view whether the source service is located in the current account or another account by viewing the Source account column for the specific authorization on the [Authorizations](/iam/authorizations) page in the {{site.data.keyword.Bluemix}} console. 
 
 In some cases, you can authorize dependent services in addition to the source service. The source service that is enabled to access the target service depends on another service. The dependent service must be assigned access to complete the workflow. Review the following example to understand how the relationship between the source, target, and dependent services works.
 
-As an example, you might have an {{site.data.keyword.ibmwatson}} service that relies on an instance of {{site.data.keyword.cos_full_notm}} to store data. When you enable an authorization between your {{site.data.keyword.ibmwatson_notm}} service and {{site.data.keyword.keymanagementservicelong}} service, there might be a need for the {{site.data.keyword.cos_short}} instance to access a key in the user's {{site.data.keyword.keymanagementserviceshort}} instance. So, while the authorization is between your {{site.data.keyword.ibmwatson_notm}} service and {{site.data.keyword.keymanagementserviceshort}} service, the {{site.data.keyword.cos_short}} service is also given access as a dependent service of the {{site.data.keyword.ibmwatson_notm}} service. By selecting the option to enable authorizations for dependent services, you don't need to take any additional action because the policies are automatically created for the dependent services.
+As an example, you might have an {{site.data.keyword.ibmwatson}} service that relies on an instance of {{site.data.keyword.cos_full_notm}} to store data. When you enable an authorization between your {{site.data.keyword.ibmwatson_notm}} service and {{site.data.keyword.keymanagementservicelong}} service, you might need the {{site.data.keyword.cos_short}} instance to access a key in the user's {{site.data.keyword.keymanagementserviceshort}} instance. So, while the authorization is between your {{site.data.keyword.ibmwatson_notm}} service and {{site.data.keyword.keymanagementserviceshort}} service, the {{site.data.keyword.cos_short}} service is also given access as a dependent service of the {{site.data.keyword.ibmwatson_notm}} service. By selecting the option to enable authorizations for dependent services, you don't need to take any additional action because the policies are automatically created for the dependent services.
 
 The source service's dependent services might be in the source service's account, which means that they are not visible to you in your account. However, any access policies that are created by the source service for its dependent services are always visible to you. You can tell which authorizations a user created or a source service that is created by checking the Type column for the specific authorization on the Authorizations page.
 {: tip}
@@ -38,11 +40,17 @@ You must have access to the target service to create an authorization between se
 
 1. In the {{site.data.keyword.Bluemix_notm}} console, click **Manage** > **Access (IAM)**, and select **Authorizations**.
 2. Click **Create**.
-3. Select a source service and specify whether you want the authorization to be for all instances or only a specific instance in the account or instances only in a certain resource group. 
-4. Select a target service and specify whether you want the authorization to be for all instances or only a specific instance in the account or instances only in a certain resource group.
-5. Optional: Select **Enable authorization to be delegated** to allow the source service to delegate its access to any dependent services. This option is displayed only if the source service has dependent services. By selecting this option, policies are automatically created by the source service for the dependent services.
-6. Select a role to assign access to the source service that accesses the target service.
-7. Click **Authorize**.
+3. Select a source account.
+   * If the source service that needs access to the target service is in this account, select **This account**.
+   * If the source service that needs access to the target service is in a different account, select **Other account**. Then, enter the account ID of the source account. 
+4. Specify whether you want the authorization to be for all instances, only a specific instance in the account, or instances only in a certain resource group. 
+5. Select a target service and specify whether you want the authorization to be for all instances, only a specific instance in the account, or instances only in a certain resource group.
+6. Optional: Select **Enable authorization to be delegated** to allow the source service to delegate its access to any dependent services. This option is displayed only if the source service has dependent services. By selecting this option, policies are automatically created by the source service for the dependent services.
+7. Select a role to assign access to the source service that accesses the target service.
+8. Click **Authorize**.
+
+If you create an authorization between a service in another account and a target service in your current account, you need to have access only to the target resource. For the source account, you need only the account number. 
+{: note}
 
 ## Creating an authorization by using the CLI
 {: #auth-cli}
@@ -52,20 +60,65 @@ To authorize a source service access a target service, run the `ibmcloud iam aut
 
 The following sample uses mock data to create a policy where a specific source service instance of {{site.data.keyword.cos_full_notm}} is authorized to access a specific target service instance of {{site.data.keyword.keymanagementservicelong_notm}}:
 
-```bash
+```sh
 ibmcloud iam authorization-policy-create cloud-object-storage kms Reader --source-service-instance-id 123123 --target-service-instance-id 456456
 ```
 {: codeblock}
 
 For more information about all of the parameters that are available for this command, see [ibmcloud iam authorization-policy-create](/docs/cli?topic=cli-ibmcloud_commands_iam#ibmcloud_iam_authorization_policy_create).
 
+## Creating an authorization by using Terraform
+{: #auth-terra}
+{: terraform}
+
+You must have access to the target service to create an authorization between services. You can grant only the level of access that you have as a user of the target service. For example, if you have viewer access on the target service, you can assign only the viewer role for the authorization.
+
+Use the following steps to create an authorization between services by using Terraform.
+
+1. To install the Terraform CLI and configure the {{site.data.keyword.cloud_notm}} Provider plug-in for Terraform, follow the tutorial for [Getting started with Terraform on {{site.data.keyword.cloud}}](/docs/ibm-cloud-provider-for-terraform?topic=ibm-cloud-provider-for-terraform-getting-started). The plug-in abstracts the {{site.data.keyword.cloud_notm}} APIs that are used to complete this task.
+
+2. Create a Terraform configuration file that is named `main.tf`. In this file, you add the configuration to create an authorization between services by using HashiCorp Configuration Language. For more information, see the [Terraform documentation](https://www.terraform.io/docs/language/index.html){: external}.
+
+   The following example creates an authorization between services by using the `ibm_iam_authorization_policy` resource.
+
+   ```terraform
+   resource "ibm_iam_authorization_policy" "policy" {
+   source_service_name = "cloud-object-storage"
+   target_service_name = "kms"
+   roles               = ["Reader"]
+   }
+   ```
+   {: codeblock}
+
+3. Initialize the Terraform CLI.
+
+   ```terraform
+   terraform init
+   ```
+   {: pre}
+
+4. Create a Terraform execution plan. The Terraform execution plan summarizes all the actions that need to be run to create the authorization between services.
+
+   ```terraform
+   terraform plan
+   ```
+   {: pre}
+
+5. Create the authorization between services.
+
+   ```terraform
+   terraform apply
+   ```
+   {: pre}
+
+
 ## Creating an authorization by using the API
 {: #auth-api}
 {: api}
 
 To authorize a source service access to a target service, use the [IAM Policy Management API](/apidocs/iam-policy-management#create-a-policy). See the following API example for Create a policy method with the `type=authorization` specified.
 
-The supported attributes for creating an authorization policy depend on what each service supports. For more information about the supported attributes for each service, refer to the documentation for the services that you're using.
+The supported attributes for creating an authorization policy depend on what each service supports. For more information about the supported attributes for each service, see the documentation for the services that you're using.
 {: note}
 
 ```bash
@@ -417,10 +470,10 @@ If the source service is removed from the account, any policies that are created
 
 You can remove any authorization between services in the account if you are assigned the Administrator role on the target service. If you remove any access policies created by the source service for its dependent services, the source service is unable to complete the workflow or access the target service.
 
-To authorize a source service access a target service, run the `ibmcloud iam authorization-policy-create` command. 
+To authorize a source service to access a target service, run the `ibmcloud iam authorization-policy-create` command. 
 
 The following sample deletes an authorization policy:
-```bash
+```sh
 ibmcloud iam authorization-policy-delete 12345678-abcd-1a2b-a1b2-1234567890ab
 ```
 {: codeblock}