Security
October 10, 2017 By Deanna Brown 4 min read

Introducing IBM Cloud IAM Service IDs and API Keys

IBM Cloud Identity & Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently on the IBM Bluemix Platform.  Starting in September 2017, you can authenticate your applications or services by using service IDs.

What is a Service ID?

A service ID is an identity that can be used by an application or service. Imagine that a group of developers work on an application together. The application needs the ability to call APIs of several services in the IBM Bluemix Platform. None of the developers would wish to use their personal identities and API keys to access those services from the shared application as that would expose their personal credentials to their co-developers. The developers may also wish to use a credential that has access only to the services needed by the application rather than using a credential that authenticates them as a user who has broader access. Service IDs are ideal for this purpose. The developers can create a service ID and an API key that can be used to authenticate as the service ID. They can then grant the service ID access to only the services the application requires, and then use the service ID’s API key from the application to authenticate as the service ID.

Why use Service IDs?

  • Users can keep their personal credentials private

  • The service ID can be granted access only to the minimum set of services required; loss of the API key would not give access to everything the user has access to

  • Each application can have its own service ID and API key, allowing for easy rotation of one key without impacting other applications or users

  • If desired, a unique key can be used for each service so that an untrusted service cannot gain access to other resources

  • Since service IDs are not tied to a specific user, if a user leaves an organization and is deleted from the account, the service ID remains ensuring that your application or service stays up and running

How do I use Service IDs and API Keys?

To create a service ID, navigate to Manage->Security->Identity & Access. Then, select Service IDs from the left navigation menu.

 

Click Create. You’ll be prompted to give the Service ID a name and description. Choose values that will be meaningful to you and will help you identify what you use this service ID for when working in the UI.

Once you click Create, your service ID is displayed. 

In order for this service ID to have permissions to call APIs, you need to assign a policy to it. 

After you have assigned a policy to the service ID to give it permission to call APIs, you must create at least one API key for the service ID to enable an application to authenticate as this identity. In the Actions menu for the service ID, select Manage service ID. 

On the Manage Service ID page under the API keys section, click Create. 

You are prompted to give the API key a name and description. Again, choose a name and description that will help you remember what the key is used for. 

The key is generated and you can select to download it in a file or show it on the screen, which will allow you to cut and paste it into your application. You must save the key at this time because you cannot display it again. If you lose the key, you will need to delete that key and create a new one. 

The API key should be protected as you would protect a password. Anyone who obtains the API key can perform any action or access any resource that the service ID’s policies allow. It is recommended that API keys be rotated at regular intervals. To rotate your key, create a new API key, modify your application to use the new key, and then delete the old API key. It is possible for one service ID to have multiple active API keys, which enables you to rotate keys without disruption.

From the application, you can now use the POST /oidc/token call to exchange the API key for a temporary token that will be used for API calls. It is also possible to use the API key directly in API calls, but it is strongly recommended for better security that you use a token to reduce the chances of anyone learning your API key.

To learn more

Was this article helpful?
YesNo
Deanna Brown
Distinguished Engineer

More from Security
July 16, 2024

How a US bank modernized its mainframe applications with IBM Consulting and Microsoft Azure

9 min read - As organizations strive to stay ahead of the curve in today's fast-paced digital landscape, mainframe application modernization has emerged as a critical component of any digital transformation strategy. In this blog, we'll discuss the example of a US bank which embarked on a journey to modernize its mainframe applications. This strategic project has helped it to transform into a more modern, flexible and agile business. In looking at the ways in which it approached the problem, you’ll gain insights into…

July 16, 2024

The power of the mainframe and cloud-native applications 

4 min read - Mainframe modernization refers to the process of transforming legacy mainframe systems, applications and infrastructure to align with modern technology and business standards. This process unlocks the power of mainframe systems, enabling organizations to use their existing investments in mainframe technology and capitalize on the benefits of modernization. By modernizing mainframe systems, organizations can improve agility, increase efficiency, reduce costs, and enhance customer experience.  Mainframe modernization empowers organizations to harness the latest technologies and tools, such as cloud computing, artificial intelligence,…

July 16, 2024

Modernize your mainframe applications with Azure

4 min read - Mainframes continue to play a vital role in many businesses' core operations. According to new research from IBM's Institute for Business Value, a significant 7 out of 10 IT executives believe that mainframe-based applications are crucial to their business and technology strategies. However, the rapid pace of digital transformation is forcing companies to modernize across their IT landscape, and as the pace of innovation continuously accelerates, organizations must react and adapt to these changes or risk being left behind. Mainframe…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters