IAM authentication

IAM authentication can be configured with operator parameters or application configuration.

The priority of the IAM authentication options is
  1. credentials operator parameter
  2. application configuration with property called cos.creds (ignored if option above is set)

In either case, IBM Cloud Object Storage Credentials must first be created.

How to create IBM Cloud Object Storage Credentials

Service credentials provide the necessary information to connect an application to Object Storage packaged in a JSON document. Service credentials are always associated with a Service ID, and new Service IDs can be created along with a new credential. Use the following steps to create a service credential:

  1. Log in to the IBM Cloud console and navigate to your instance of Object Storage.
  2. In the side navigation, click Service Credentials.
  3. Click New credential and provide the necessary information.
  4. Click Add to generate service credential.
  5. Click View credentials and copy JSON into clipboard (use this as value of the credentials operator parameter).
This is an example of a service credential: 

{
    apikey: 0viPHOY7LbLNa9eLftrtHPpTjoGv6hbLD1QalRXikliJ,
    endpoints: https://cos-service.bluemix.net/endpoints,
    iam_apikey_description: Auto generated apikey during resource-key operation for Instance - crn:v1:bluemix:public:cloud-object-storage:global:a/3ag0e9402tyfd5d29761c3e97696b71n:d6f74k03-6k4f-4a82-b165-697354o63903::,
    iam_apikey_name: auto-generated-apikey-f9274b63-ef0b-4b4e-a00b-b3bf9023f9dd,
    iam_role_crn: crn:v1:bluemix:public:iam::::serviceRole:Manager,
    iam_serviceid_crn: crn:v1:bluemix:public:iam-identity::a/3ag0e9402tyfd5d29761c3e97696b71n::serviceid:ServiceId-540a4a41-7322-4fdd-a9e7-e0cb7ab760f9,
    resource_instance_id: crn:v1:bluemix:public:cloud-object-storage:global:a/3ag0e9402tyfd5d29761c3e97696b71n:d6f74k03-6k4f-4a82-b165-697354o63903::
}

Authenticating with credentials operator parameter

For IBM COS service authentication, the credentials operator parameter should be used.

The parameter accepts the IBM Cloud Object Storage Credentials JSON from the IBM Cloud Object Storage service. The operator reads the required IAM credentials from the JSON.

Authenticating with application configuration

With this option, users can copy their IBM Cloud Object Storage Credentials JSON from the IBM Cloud Object Storage service and store it in an application configuration property called cos.creds. When the operator starts, it will look for that property and extract the information needed to connect. The following steps outline how this can be done:

  1. Create an application configuration called cos.
  2. Create a property in the cos application configuration named cos.creds.
    • The value of the property should be the raw IBM Cloud Object Storage Credentials JSON
    • The value of the property could be pasted from the clipboard if you have done the How to create IBM Cloud Object Storage Credentials steps above.
  3. The operator will automatically look for an application configuration named cos and will extract the information needed to connect.
The following image is an example of an application configuration in Streams Console:

From the cos.creds JSON the apikey (IAMApiKey) and resource_instance_id (IAMServiceInstanceId) are extracted by the operator. The auth endpoint value (IAMTokenEndpoint) is extracted from the endpoints URL provided as part of the service credentials. With the endpoints URL a JSON is retrieved and /oidc/token is added to end of the iam-token URL to construct the IAMTokenEndpoint. 

    {
        identity-endpoints: {
            iam-token: iam.bluemix.net,
            iam-policy: iampap.bluemix.net
    },
    ...