Required IAM privileges for a service ID to update Code Engine app

Remember the steps

This blog post today is one of those written for me. In the past I stated a couple times that I use this blog to remember things. Today, it is about setting up IBM Cloud IAM privileges for a Service ID. That service ID needs to build a new container image, then update an existing Code Engine app.

IBM Cloud Identity and Access Management

Identity and Access Management, or IAM for short, has two big tasks: Authenticate or identify users of all kind and make sure they can only perform tasks and access resources they are supposed to do (authorization). In addition to regular users like you and I, there are also special technical users called Service ID and so-called Trusted Profiles. The latter are kind of abstract users with assigned privileges. Federated users (external users) and systems can morph into them based on clearly defined contexts.

All three, users, service IDs, trusted profiles, can have directly assigned privileges or indirectly have them through membership in access groups. The benefit of assigning privileges through a group (membership) is the easier management and only defining the set of privileges for roles, tasks, or situations only once.

IAM privileges to update Code Engine app

Having the right set of privileges would enable me to run a pipeline. The pipeline includes steps to build a new container image from updated code, push the image to my private container registry on IBM Cloud, and later update the Code Engine app. The idea is to use a service ID to not use a personal user ID and to follow best practices and use an access group to assign the privileges to the service ID. What is needed?

• Viewer role on resources limited to the resource group with the Code Engine project. That way, the resource group can be set and the project be seen.
• Operator and Writer roles for Container Registry, to be able to push a new container image.
• Operator and Writer roles for Code Engine, scoped to just the project, to be able to update the app.

After applying those privileges as access policies to the access group and adding the service ID in, I could run my pipeline with an API key for the service ID.

Conclusions

Not much is needed both in steps and privileges to enable a service ID to update a Code Engine app, even as part of a pipeline. Using my blog, I can now remember the (baby) steps to manage Code Engine and IBM Cloud account security.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.