| copyright | lastupdated | keywords | subcollection | content-type | completion-time | ||
|---|---|---|---|---|---|---|---|
|
2020-12-01 |
getting started, account, Subscription, Pay-As-You-Go, enterprise, catalog, upgrade account, IAM, access groups, invite users, notifications, email preferences, account settings, MFA, authetication, TOTP, U2F, FIDO U2F, security key |
account |
tutorial |
60m |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:tip: .tip} {:note: .note} {:important: .important} {:external: target="_blank" .external} {:step: data-tutorial-type='step'}
{: #account-getting-started} {: toc-content-type="tutorial"} {: toc-completion-time="60m"}
This tutorial walks you through the steps for setting up an account in {{site.data.keyword.cloud}}. By completing this tutorial, you learn how to set up account authentication, manage your account settings, effectively organize resources in your account, and control access to resources. {:shortdesc}
This tutorial focuses on how to set up a Pay-As-You-Go account. If you're looking for details about setting up accounts in an enterprise hierarchy, see Setting up an enterprise. {: tip}
{: #account-gs-createlite} {: step}
First, create a Lite account by using your existing IBMid or a new IBMid. If your company is registered to use a federated ID for single sign-on (SSO), you can use your federated ID instead.
| Login ID | Details |
|---|---|
| Existing IBMid | If you already have an IBMid, sign up for {{site.data.keyword.Bluemix_notm}} with your existing credentials that you use for other {{site.data.keyword.IBM}} products and services. |
| New IBMid | If you don't yet have an IBMid, you'll create one when you sign up. With an IBMid, you can use one username to log in to all {{site.data.keyword.IBM_notm}} products and services, including {{site.data.keyword.Bluemix_notm}}. |
| Federated ID | If your company already requested to register the user credentials from your company's domain with {{site.data.keyword.IBM_notm}}, you can sign up for {{site.data.keyword.Bluemix_notm}} by using the credentials that you already use for your company's login. You must enter a phone number when you sign up. |
| {:caption="Table 1. ID options for creating a Lite account" caption-side="top"} |
{: #signup-ibmid}
If you're not a part of a company that uses a federated ID, use your IBMid to create your Lite account.
- Go to the {{site.data.keyword.Bluemix_notm}} login page{: external}, and click Create an {{site.data.keyword.Bluemix_notm}} account.
- Enter your IBMid email address. If you don't have an existing IBMid, an ID is created based on the email that you enter.
- Complete the remaining fields with your information, and click Create account.
- Confirm your account by clicking the link in the confirmation email that's sent to your provided email address.
{: #signup-federated}
A federated ID is an ID within a company's domain that is registered with {{site.data.keyword.IBM_notm}} so that the domain and user credentials can be used to access {{site.data.keyword.IBM_notm}} web applications. You can sign up for {{site.data.keyword.Bluemix_notm}} with a federated ID only if your company is already registered with {{site.data.keyword.IBM_notm}}. Registering a company's domain with {{site.data.keyword.IBM_notm}} enables users to log in to {{site.data.keyword.IBM_notm}} products and services by using their existing company user credentials. Authentication is then handled by your company's identity provider through single sign-on (SSO).
{{site.data.keyword.IBM_notm}} uses the Security Assertion Markup Language 2.0 (SAML 2.0) for this identity federation. SAML 2.0 is a standard version for exchanging authentication data between security domains. It's an XML-based protocol that uses a security token that contains assertions to pass information between the organizations "Identity Provider", and the "{{site.data.keyword.IBM_notm}} Rely Party (RP)", otherwise known as the Service Provider.
For information about how to register your company for a federated ID, see the IBMid Enterprise Federation Adoption Guide{: external}. An {{site.data.keyword.IBM_notm}} sponsor, such as an offering advocate or client advocate, is required when you request to register federated IDs.
{: #account-gs-upgrade} {: step}
Upgrade your Lite account to a Pay-As-You-Go account to access the full {{site.data.keyword.cloud_notm}} catalog.
- Click Manage > Account.
- Select Account settings, and click Add credit card.
- Enter your credit card information.
{: #account-gs-mfa} {: step}
By default, users in your account authenticate themselves by logging in with a username and password. To require users to use more secure authentication methods, complete the following steps to set up multifactor authentication (MFA).
Setting up MFA in your account affects all members of the account. This means that if users of your account are members of multiple {{site.data.keyword.cloud_notm}} accounts, they must enroll for MFA at their next login even if they don't intend to use resources in the secured account. {: important}
- Go to Manage > Access (IAM) > Settings.
- Update the current authentication setting by clicking Edit in the Authentication section.
- Select the type of MFA to enable in your account.
- MFA for users with an IBMid: Require users to authenticate by using an IBMid, password, and time-based one-time passcode (TOTP). You can enable this option for all users or just non-federated users.
- MFA for all users (IBMid & supported IdPs): Require users to authenticate by using one of the following MFA methods. This option applies to users who are using either an IBMid or an external identity provider (IdP).
- Email-based MFA: Users authenticate by using a security passcode that's sent via email.
- TOTP MFA: Users authenticate by using a TOTP.
- U2F MFA: Users authenticate by using a hardware security key that generates a six-digit numerical code. This method offers the highest level of security.
- Click Update.
After you set up MFA in your account, create a time-based one-time passcode (TOTP) with an authenticator app, such as {{site.data.keyword.IBM_notm}} Security Verify or Google Authenticator, that you use the next time you log in. All users in your account must also create a TOTP with an authenticator app before they can log in again.
- Log in with your IBMid and password.
It might take up to 5 minutes for you to be able to log in after MFA is enabled. {: note}
- Click Verify on the Verification is required screen to create a TOTP with an authenticator app.
- Click Setup your authenticator app.
- Use your app to scan the bar code, or select Can't scan the bar code? to enter the provided key.
{: #account-gs-estimate} {: step}
Complete the following steps to get an estimate of how much your usage might cost:
- Go to the catalog{: external}, and select Services.
- Select a service that you're interested in.
- Select a pricing plan, enter other configuration details if needed, and click Add to estimate.
By default, the estimator shows the pricing and billing currency for your location. Pricing can vary by region. If you're estimating costs for a different location, select the correct region to view accurate pricing.
- Add the calculated cost to your estimate by clicking Save.
- When you're done adding products to your estimate, click Review estimate to a detailed view of your estimate.
You can download a CSV, XSLX, or PDF of the estimate by clicking Download. {: tip}
{: #account-gs-invoicepayment} {: step}
Before you start working with resources in your account, familiarize yourself with where you can manage your payment method and access your invoices.
{: #account-gs-paymentdetails}
- To manage your payment method for an account that's billed in USD currency, go to Manage > Billing and usage, and select Payments.
- To manage your payment method for an account that's billed in non-USD currency, go to {{site.data.keyword.IBM_notm}} Billing{: external}.
{: #account-gs-invoicedetails}
- To access an invoice for an account that's billed in USD currency, go to Manage > Billing and usage, and select Invoices.
- To access an invoice for an account that's billed in non-USD currency, go to Manage > Billing and usage, and select Invoices. Then, click {{site.data.keyword.IBM_notm}} Invoices.
{: #account-gs-notifications} {: step}
Complete the following steps to set your preferences for receiving various types of notifications:
- To receive notifications about unplanned events, planned maintenance, announcements, go to the {{site.data.keyword.avatar}} icon
Profile and settings > Notifications.
- Platform notifications are associated with the {{site.data.keyword.cloud_notm}} platform and don't apply to events related to {{site.data.keyword.cloud_notm}} services. By default, all platform notifications are turned off.
- Infrastructure notifications apply only to the account in which the preferences are set. By default, all infrastructure notifications are turned on.
- To receive spending notifications, go to Manage > Billing and usage > Spending notifications. You receive notifications when you reach 80%, 90%, and 100% of the spending thresholds that you specify.
{: #account-gs-resourcegroups} {: step}
Resource groups provide a way for you to easily manage access to multiple resources and to view billage usage for a set of resources. With your Pay-As-You-Go account, you can create more resource groups in addition to the default resource group that's included when you first created your Lite account.
- Go to Manage > Account > Account resources > Resource groups.
- Click Create.
- Enter a name for your resource group, and click Add.
See What makes a good resource group strategy? for details about how to optimally organize resources in your resource groups.
{: #account-gs-accessgroups} {: step}
IAM access groups provide a way for you to quickly and easily assign access to multiple resources in your account at one time.
-
Create an access group.
-
Go to Manage > Access (IAM) > Access Groups.
-
Click Create.
-
Enter a name for your group, and click Create. For example, if you know multiple users in your account will need to be able to apply subscription codes, track usage, or perform other billed-related tasks, you might name your group
Billing-Editor-Access. -
Assign access to the group.
-
Click Access policies > Assign access.
-
Select the type of access to assign:
* **IAM services**: Assigns access to IAM-enabled services, which are services that are managed by using IAM access control and assigned to a resource group.
* **Account management services**: Assigns access to manage platform services, such as billing, license and entitlements, and enterprises.
- Select all roles that apply.
- Click Add > Assign.
See What is a good access group strategy? for details about how to best set up your access groups.
{: #account-gs-inviteusers} {: step}
You're ready to invite users to your account and grant them access based on the resources they will work with and the tasks they'll perform. If you want users to create resources from the catalog and assign the resources to a resource group, the following access is required:
- Viewer role or higher on the resource group.
- Editor or administrator role on the service.
Complete the following steps:
- Go to Manage > Access (IAM) > Users.
- Click Invite users.
- Specify the email address of the user. If you are inviting more than one user, they are all assigned the same access.
- Add the user to one or more of the access groups that you created in the previous step.
- Click Invite.
{: #account-gs-supportcenter} {: step}
You can use the Support Center to get help with any issues that you might encounter. To access the Support Center, click Support in the console menu bar.
- The "Help just for you" section features links to common tasks, troubleshooting, and FAQs specific to the resources in your account.
- The "Featured FAQs" section provides FAQs related to platform tasks, for example, resetting your password, IAM, and upgrading your account.
- The "Contact support" section provides the options for getting in touch with a support representative: start a live chat, contact by phone, or create a support case.