copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2024-05-30 |
grant access, iam, iam access, assign access, access policy, key access |
hs-crypto |
{{site.data.keyword.attribute-definition-list}}
{: #grant-access-keys}
You can enable different levels of access to {{site.data.keyword.cloud}} {{site.data.keyword.hscrypto}} resources in your {{site.data.keyword.cloud_notm}} account by creating and modifying {{site.data.keyword.cloud_notm}} IAM access policies. {: shortdesc}
As a service administrator or an account owner, determine an access policy type for users, service IDs, and access groups based on your internal access control requirements. For example, if you want to grant user access to {{site.data.keyword.hscrypto}} at the smallest scope available, you can assign access to a single key in an instance.
A good practice is to grant access permissions as you invite new users to your account or service. For example, consider the following guidelines:
- Enable user access to the resources in your account by assigning {{site.data.keyword.iamshort}} (IAM) roles. Rather than sharing your admin credentials, create new policies for users who need access to the encryption keys in your account. If you are the admin for your account, you are automatically assigned a Manager policy with access to all resources under the account.
- Grant roles and permissions at the smallest scope needed. For example, if a user needs to access only a high-level view of keys within a specified space, grant the Reader role to the user for that space.
- Regularly audit who can manage access control and delete key resources. Remember that granting a Manager role to a user means that the user can modify service policies for other users, in addition to destroying resources.
{: #grant-access-instance-level}
You can grant access to keys within a {{site.data.keyword.hscrypto}} service instance by using the UI.
Review roles and permissions to learn how {{site.data.keyword.cloud_notm}} IAM roles map to {{site.data.keyword.hscrypto}} actions. {: tip}
To assign access:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select the user, and click the Actions icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Access policy.
- Under Service, select Hyper Protect Crypto Services and click Next.
- Under Resources, select Specific resources.
- Select the Service Instance ID attribute type, enter the instance ID that is retrieved and click Next.
- Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
- (Optional) Under Conditions (optional), click Review to check the access policy.
- After confirmation, click Add > Assign.
{: #grant-access-key-level}
You can also assign access to a single key in a {{site.data.keyword.hscrypto}} service instance.
{: #access-key-retrieve-ID}
Retrieve the unique identifier that is associated with the key that you want to grant someone access to.
To get the ID for a specific key, you can:
- Access the UI to browse the keys that are stored in your service instance.
- Use the {{site.data.keyword.hscrypto}} key management service API to retrieve a list of your keys, along with metadata about the keys.
{: #access-key-create-policy}
Use the retrieved key ID to create an access policy:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select the user, and click the Actions icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Access policy.
- Under Service, select Hyper Protect Crypto Services and click Next.
- Under Resources, select Specific resources.
- Select the Service Instance ID attribute type and enter the instance ID that is retrieved.
- Click Add a condition, enter the following identifying information about the key, and click Next:
- Select Resource Type, and enter
key
. - Select Resource ID, and enter the ID that is assigned to your key by the {{site.data.keyword.hscrypto}} service.
- Select Resource Type, and enter
- Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
- (Optional) Under Conditions (optional), click Review to check the access policy.
- After confirmation, click Add > Assign.
{: #grant-access-key-ring-level}
A key ring is a collection of keys that are located within your service instance, in which you can restrict access through IAM access policy. For more information on key rings, see Managing key rings.
You can grant access to key rings within a {{site.data.keyword.hscrypto}} instance by using the UI, IAM API, or IAM CLI.
Review roles and permissions to learn how {{site.data.keyword.cloud_notm}} IAM roles map to {{site.data.keyword.hscrypto}} actions. {: tip}
{: #grant-access-key-ring-console}
To assign access to a key ring with the UI:
- From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.
- Select a table row, and click the Actions icon to open a list of options for that user.
- From the options menu, click Assign access.
- Click Access policy.
- Under Service, select Hyper Protect Crypto Services and click Next.
- Under Resources, select Specific resources.
- Select the Service Instance ID attribute type and enter the instance ID that is retrieved.
- Click Add a condition, select the Key Ring ID attribute to enter the ID associated with the key ring, and click Next.
- Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.
- (Optional) Under Conditions (optional), click Review to check the access policy.
- After confirmation, click Add > Assign.
You can also create an access policy through IAM API{: external} or CLI{: external}. {: note}