Skip to content

Commit

Permalink
IMS release
Browse files Browse the repository at this point in the history 
enable classic infra
  • Loading branch information
@addison-martin1
addison-martin1 committed Sep 16, 2021
1 parent 0fb73b6 commit bc223c6
Showing 1 changed file with 24 additions and 19 deletions.
43 changes: 24 additions & 19 deletions trustedprofile-create.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ copyright:

years: 2021

lastupdated: "2021-09-09"
lastupdated: "2021-09-16"

keywords: trusted profile, identity and access management, federated users, compute resources, IAM trusted profile, trust relationship, establish trust, trust policy, trusted entity, assume access, apply access

Expand Down Expand Up @@ -51,22 +51,23 @@ Complete the following steps to define which federated users can access specific
1. Click **Create profile**.
1. Describe your profile by providing a name and a description, then click **Continue**.

In the description, provide a list of actions available for this trusted profile.
{: tip}
In the description, provide a list of actions available for this trusted profile.
{: tip}

1. (Optional) Establish trust.
1. Select **Federated users** as a trusted entity type from the list.
1. Select **Users federated by IBMid** or **Users federated by IBM Cloud AppID** as the authentication method and input the default identity prodiver (IdP) URL.
1. Add conditions based on your IdP data to define how and when federated users can apply the profile.
1. Select **Federated users** as a trusted entity type from the list.
1. Select **Users federated by IBMid** or **Users federated by IBM Cloud AppID** as the authentication method and input the default identity prodiver (IdP) URL.
1. Add conditions based on your IdP data to define how and when federated users can apply the profile.
* By clicking **Add a condition**, you can define multiple conditions. Federated users must meet all the conditions to be included in the trusted profile.
* Click **View identity provider (IdP) data** to search attribute names and values in your own personal data from your IdP. For more information, see [Using IdP data to build trusted profiles](/docs/account?topic=account-idp-integration#trusted-profiles-idp-data).
1. Define the session duration for how long a user can apply the profile before they must reauthenticate, and click **Continue**.
1. Define the session duration for how long a user can apply the profile before they must reauthenticate, and click **Continue**.
1. (Optional) Create access policy.
1. Based on your level of access, you can assign IAM policies and classic infrastructure permissions. Select **IAM services** or **Account management** to continue.
1. For **IAM services** and **Account management**, select the option for all resources or only specific resources based on attributes. Select any combination of roles and permissions to define the scope of access, and click **Add** > **Create**.

The Classic Infrastructure and Softlayer API is not currently enabled for users that log in to {{site.data.keyword.cloud_notm}} by applying a trusted profile. For more information, see [Troubleshooting account management](/docs/account?topic=account-troubleshoot-trusted-profile-classic).
{: important}
1. Based on your level of access, you can assign IAM policies and classic infrastructure permissions. Select **IAM services** or **Account management** to continue.
1. For **IAM services** and **Account management**, select the option for all resources or only specific resources based on attributes. Select any combination of roles and permissions to define the scope of access, and click **Add** > **Create**.
1. You can assign **Classic infrastructure** access by selecting a user, device, or service, then any combination of granular permissions.

You can assign only classic infrastructure access if your account is linked to a Softlayer account.
{: note}

## Establishing trust with compute resources
{: #create-profile-compute-ui}
Expand All @@ -81,16 +82,20 @@ Complete the following steps to set up better control over granting access to co
2. Click **Create profile**.
3. Describe your profile by providing a name and a description, and click **Continue**.
4. (Optional) Establish trust.
1. Select **Compute resources** and select a compute service type from the list.
2. If you select the option for **Any service resource**, you can define multiple conditions to filter resources for the selected compute service type by clicking **Add a condition**. These conditions are based on attributes, such as resource groups or location, and apply to all existing and future resources. Resources must meet all the conditions to be included in the trusted profile.
1. Select **Compute resources** and select a compute service type from the list.
2. If you select the option for **Any service resource**, you can define multiple conditions to filter resources for the selected compute service type by clicking **Add a condition**. These conditions are based on attributes, such as resource groups or location, and apply to all existing and future resources. Resources must meet all the conditions to be included in the trusted profile.

The Kubernetes namespace and service account names that you enter do not have to exist already. Any future namespaces or service accounts with these names can establish trust. To list existing namespaces, log in to your cluster and run `kubectl get ns`. To list existing service accounts, log in to your cluster and run `kubectl get sa -n <namespace>`.
{: note}
The Kubernetes namespace and service account names that you enter do not have to exist already. Any future namespaces or service accounts with these names can establish trust. To list existing namespaces, log in to your cluster and run `kubectl get ns`. To list existing service accounts, log in to your cluster and run `kubectl get sa -n <namespace>`.
{: note}

3. If you select **Specific resources**, you can establish trust with one or more existing compute resource instances. For example, a Kubernetes cluster.
3. If you select **Specific resources**, you can establish trust with one or more existing compute resource instances. For example, a Kubernetes cluster.
5. (Optional) Create an access policy.
1. Based on your level of access, you can assign IAM policies and classic infrastructure permissions. Select **IAM services** or **Account management** to continue.
2. For IAM services and account management services, select the option for all resources or only specific resources based on attributes. Select any combination of roles and permissions to define the scope of access, and click **Add** > **Create**.
1. Based on your level of access, you can assign IAM policies and classic infrastructure permissions. Select **IAM services** or **Account management** to continue.
2. For IAM services and account management services, select the option for all resources or only specific resources based on attributes. Select any combination of roles and permissions to define the scope of access, and click **Add** > **Create**.
3. You can assign **Classic infrastructure** access by selecting a user, device, or service, then any combination of granular permissions.

You can assign only classic infrastructure access if your account is linked to a Softlayer account.
{: note}

## Establishing trust with federated users by using the API
{: #create-profile-federated-api}
Expand Down

0 comments on commit bc223c6

Please sign in to comment.