LinuxCommandLibrary

ibmcloud-login

Log in to IBM Cloud

TLDR

Log in by using an interactive prompt

$ ibmcloud login
copy

Log in to a specific API endpoint (default is cloud.ibm.com)
$ ibmcloud login -a [api_endpoint]
copy

Log in by providing username, password and the targeted region as parameters
$ ibmcloud login -u [username] -p [password] -r [us-south]
copy

Log in with an API key, passing it as an argument
$ ibmcloud login --apikey [api_key_string]
copy

Log in with an API key, passing it as a file
$ ibmcloud login --apikey @[path/to/api_key_file]
copy

Log in with a federated ID (single sign-on)
$ ibmcloud login --sso
copy

SYNOPSIS

ibmcloud login [--apikey API_KEY | -u API_KEY] [--sso] [--origin IDENTITY_PROVIDER] [--sso-url SSO_URL] [--profile PROFILE_NAME] [--client-id CLIENT_ID] [--api API_ENDPOINT | -a API_ENDPOINT] [--region REGION | -r REGION] [--account ACCOUNT_ID] [--resource-group RESOURCE_GROUP | -g RESOURCE_GROUP] [--no-all-account-commands] [--skip-ssl-validation] [-h | --help]

PARAMETERS

--apikey API_KEY | -u API_KEY
    Authenticates using a provided IBM Cloud API key. Ideal for automation.

--sso
    Initiates a Single Sign-On (SSO) login flow, prompting for a browser-based authentication.

--origin IDENTITY_PROVIDER
    Specifies the identity provider for SSO, e.g., ibmid, github.

--sso-url SSO_URL
    Specifies a custom SSO URL, typically used for private or custom identity configurations.

--profile PROFILE_NAME
    Uses a named authentication profile from your IBM Cloud CLI configuration.

--client-id CLIENT_ID
    Specifies the client ID for OAuth flows, typically used in advanced scenarios.

--api API_ENDPOINT | -a API_ENDPOINT
    Specifies the IBM Cloud API endpoint URL to connect to, e.g., https://cloud.ibm.com.

--region REGION | -r REGION
    Targets a specific IBM Cloud region after successful login (e.g., us-south).

--account ACCOUNT_ID
    Targets a specific account ID if you have access to multiple accounts.

--resource-group RESOURCE_GROUP | -g RESOURCE_GROUP
    Targets a specific resource group after successful login.

--no-all-account-commands
    Prevents listing commands that apply to all accounts, streamlining command output.

--skip-ssl-validation
    Skips SSL certificate validation. Use with extreme caution and only in non-production environments.

-h | --help
    Displays help information for the login command.

DESCRIPTION

The `ibmcloud login` command is the primary method for authenticating the IBM Cloud Command Line Interface (CLI) session. It establishes a secure connection to the IBM Cloud environment, allowing users to interact with and manage their resources. Upon successful login, the CLI stores an authentication token, enabling subsequent commands to be executed without requiring re-authentication until the token expires. This command supports various authentication methods, including interactive login with a username and password, API key-based authentication for automation, and single sign-on (SSO) for enterprise environments. It's crucial for setting up the context for all subsequent IBM Cloud CLI operations.

CAVEATS

The literal command name for logging into IBM Cloud is ibmcloud login (with a space), not ibmcloud-login (with a hyphen). If ibmcloud-login is used, it likely refers to a custom script or alias.
Using --skip-ssl-validation is highly discouraged in production environments due to significant security risks.
Storing API keys directly in scripts or command history is not recommended. Consider using environment variables, secure vaults, or IBM Cloud CLI profiles for better security practices.
Authentication tokens obtained via login have an expiration period, after which re-authentication is required.

DEFAULT API ENDPOINT

The default API endpoint for IBM Cloud is https://cloud.ibm.com. If you are operating in a private cloud environment or a specialized deployment, you may need to explicitly specify the correct endpoint using the --api option.

ENVIRONMENT VARIABLE CONFIGURATION

Many login parameters can be configured using environment variables, which can be useful for scripting and automation without exposing sensitive information directly on the command line. Examples include IC_API_KEY, IC_API_ENDPOINT, and IC_REGION.

POST-LOGIN TARGETING

After successfully logging in, it's often necessary to set your target account, region, resource group, or Cloud Foundry organization/space using the ibmcloud target command. This ensures that subsequent CLI commands operate within the correct context.

HISTORY

The ibmcloud CLI has evolved significantly since its inception, succeeding older CLIs like the bluemix (bx) CLI. The ibmcloud login command has been the cornerstone of user authentication since its introduction, providing a unified and consistent way to access IBM Cloud resources. Over time, new authentication methods like API key support, enhanced SSO options, and profile management have been integrated to accommodate diverse user needs and automation requirements, continuously improving security and usability.

SEE ALSO

ibmcloud logout(1), ibmcloud target(1), ibmcloud account(1), ibmcloud iam(1), ibmcloud config(1)

Copied to clipboard