ibmcloud-iam

List service IDs in an account

$ ibmcloud iam service-ids

$ ibmcloud iam service-api-keys [service_id]

$ ibmcloud iam service-api-key-create [api_key_name] [service_id] [[-d|--description]] [description] [[-f|--force]]

$ ibmcloud iam help

ibmcloud iam <subcommand> [<options>] [<arguments>]

Common subcommands include:
ibmcloud iam access-groups [<subcommand>]
ibmcloud iam users [<subcommand>]
ibmcloud iam policies [<subcommand>]
ibmcloud iam service-ids [<subcommand>]
ibmcloud iam service-api-keys [<subcommand>]
ibmcloud iam roles [<subcommand>]

access-groups
    Manages IAM access groups for efficient policy assignment to multiple users or service IDs.

users
    Administers user accounts, allowing invitation, listing, and disabling of users within the IBM Cloud account.

policies
    Handles the creation, viewing, updating, and deletion of IAM policies that define resource access permissions.

service-ids
    Manages service IDs, which are identities for applications or services accessing IBM Cloud resources.

service-api-keys
    Manages API keys associated with service IDs, used for programmatic authentication and access.

roles
    Lists available IBM Cloud IAM roles and provides details about their permissions and scope.

The ibmcloud-iam command, invoked as ibmcloud iam, is a powerful plugin for the IBM Cloud CLI that provides comprehensive capabilities for managing Identity and Access Management (IAM) resources. It enables administrators and users to programmatically control who has access to what resources within their IBM Cloud account. This includes managing users, inviting new users, disabling existing ones, and assigning roles. Furthermore, it facilitates the creation and management of access groups to streamline permission assignments, defining policies that dictate specific permissions for users or service IDs, and handling service IDs and their associated API keys for non-human applications or services. The plugin integrates directly with the IBM Cloud IAM service, ensuring consistent and secure access control across all cloud resources. It's an essential tool for automating IAM workflows and maintaining a robust security posture in IBM Cloud environments.

The ibmcloud-iam plugin must be installed separately after the main ibmcloud CLI.
Requires appropriate IAM permissions within the IBM Cloud account to perform actions (e.g., Administrator role on IAM services for most management tasks).
Many commands require specific resource IDs (e.g., user ID, access group ID, policy ID) which often need to be retrieved first via list commands.
Output formats can vary; using --output JSON is often recommended for scripting.

IBM Cloud IAM operates on an attribute-based access control (ABAC) model, where access is granted based on attributes of the user, resource, and environment. Policies are defined with subjects (who), roles (what they can do), and resources (where they can do it).

It is recommended to use access groups for managing permissions to reduce complexity. Assign the least privilege necessary for users and service IDs. Regularly review and audit IAM policies and user access to maintain a strong security posture.

The ibmcloud-iam plugin evolved as IBM Cloud transitioned from legacy Cloud Foundry-based access control to a unified, global IAM system. Initially, access management was fragmented, tied closely to Cloud Foundry organizations and spaces. With the introduction of the global IAM service, the ibmcloud CLI integrated this new system through the ibmcloud-iam plugin, providing a centralized and consistent way to manage access across all IBM Cloud resources, including IaaS, PaaS, and various services. Its development reflects the industry trend towards robust, fine-grained access control mechanisms to meet modern security and compliance demands.

ibmcloud login, ibmcloud account, ibmcloud resource, ibmcloud target, gcloud iam(1), aws iam(1)