{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:tip: .tip}

{: #ibmcloud_commands_iam}

Use the following commands to manage API keys, service IDs, access groups, and access/authorization policies for users, services and access groups. {: shortdesc}

{: #ibmcloud_iam_service_ids}

List all service IDs

ibmcloud iam service-ids [--uuid]

Prerequisites: Endpoint, Login, Target

Command Options:

--uuid

Show UUID of service IDs only

Examples: List UUID of all service IDs under current account

ibmcloud iam service-ids --uuid

{: #ibmcloud_iam_service_id}

Display details of a service ID

ibmcloud iam service-id (NAME|UUID) [--uuid]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service, exclusive with UUID

UUID (required)

UUID of the service, exclusive with NAME

--uuid

Display the UUID of the service ID

Examples:

Show details of service ID sample-test

ibmcloud iam service-id sample-test

Show details of service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

{: #ibmcloud_iam_service_id_create}

Create a service ID

ibmcloud iam service-id-create NAME [-d, --description DESCRIPTION] [--lock]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service

-d, --description

Description of the service ID

--lock

Lock the service ID when being created

Examples:

Create a service ID with service name sample-test and description hello, world!

ibmcloud iam service-id-create sample-test -d 'hello, world!'

Create a locked service ID with service name sample-test and description hello, world!

ibmcloud iam service-id-create sample-test -d 'hello, world!' --lock

{: #ibmcloud_iam_service_id_update} Update a service ID

ibmcloud iam service-id-update (NAME|UUID) [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service, exclusive with UUID

UUID (required)

UUID of the service, exclusive with NAME

-n, --name

New name of the service

-d, --description

New description of the service

-f, --force

Update without confirmation

Examples:

Rename service ID sample-test to sample-test-2 without confirmation

ibmcloud iam service-id-update sample-test -n sample-test-2 -f

Update description of service sample-test

ibmcloud iam service-id-update sample-test -d 'hello, friend!'

Rename service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 to sample-test-3 with new description

ibmcloud iam service-id-update ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 -n sample-test-3 -d 'hello, my friends!'

{: #ibmcloud_iam_service_id_delete}

Delete a service ID

ibmcloud iam service-id-delete (NAME|UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service, exclusive with UUID

UUID (required)

UUID of the service, exclusive with NAME

-f, --force

Delete without confirmation

Examples:

Delete service ID sample-teset without confirmation

ibmcloud iam service-id-delete sample-teset -f

Delete service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id-delete ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

{: #ibmcloud_iam_service_id_lock}

Lock a service ID

ibmcloud iam service-id-lock (NAME|UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service, exclusive with UUID

UUID (required)

UUID of the service, exclusive with NAME

-f, --force

Lock without confirmation

Examples:

Lock service ID sample-teset without confirmation

ibmcloud iam service-id-lock sample-teset -f

Lock service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id-lock ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

{: #ibmcloud_iam_service_id_unlock}

Unlock a service ID

ibmcloud iam service-id-unlock (NAME|UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service, exclusive with UUID

UUID (required)

UUID of the service, exclusive with NAME

-f, --force

Unlock without confirmation

Examples:

Unlock service ID sample-teset without confirmation

ibmcloud iam service-id-unlock sample-teset -f

Unlock service ID ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-id-unlock ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

{: #ibmcloud_iam_api_keys}

List all {{site.data.keyword.Bluemix_notm}} platform API keys

ibmcloud iam api-keys

Prerequisites: Endpoint, Login

{: #ibmcloud_iam_api_key_create}

Create a new {{site.data.keyword.Bluemix_notm}} platform API key

ibmcloud iam api-key-create NAME [-d DESCRIPTION] [--file FILE] [--lock]

Prerequisites: Endpoint, Login

Command options:

NAME (required)

Name of the API key to be created.

-d DESCRIPTION (optional)

Description of the API key

--file FILE

Save API key information to the specified file.

--lock

Lock the API key when being created

Examples:

Create an API key and save to a file

ibmcloud iam api-key-create MyKey -d "this is my API key" --file key_file

Create a locked API key with name "test-key"

ibmcloud iam api-key-create test-key --lock

{: #ibmcloud_iam_api_key_update}

Update a {{site.data.keyword.Bluemix_notm}} platform API key

ibmcloud iam api-key-update (NAME|UUID) [-n name] [-d description]

Prerequisites: Endpoint, Login

Command options:

NAME (required)

The old name of the API key to be updated, exclusive with UUID

UUID (required)

The UUID of the API key to be updated, exclusive with NAME

-n NAME (optional)

The new name of the API key

-d DESCRIPTION (optional)

The new description of the API key

Examples:

Update the description of an API key:

ibmcloud iam api-key-update MyKey -d "the new description of my key"

{: #ibmcloud_iam_api_key_delete}

Delete a {{site.data.keyword.Bluemix_notm}} platform API key

ibmcloud iam api-key-delete (NAME|UUID) [-f, --force]

Prerequisites: Endpoint, Login

Command options:

NAME (required)

Name of the API key to be deleted, exclusive with UUID

UUID (required)

UUID of the API key to be deleted, exclusive with NAME

-f, --force

Force deletion without confirmation.

{: #ibmcloud_iam_api_key_lock}

Lock a platform API key

ibmcloud iam api-key-lock (NAME|UUID) [-f, --force]

Prerequisites: Endpoint, Login

Command options:

NAME (required)

Name of the API key to be locked, exclusive with UUID

UUID (required)

UUID of the API key to be locked, exclusive with NAME

-f, --force

Force lock without confirmation.

Examples:

Lock API key test-api-key

ibmcloud iam api-key-lock test-api-key

Lock API key with given UUID without confirmation

ibmcloud iam api-key-lock ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

{: #ibmcloud_iam_api_key_unlock}

Unlock a platform API key

ibmcloud iam api-key-unlock (NAME|UUID) [-f, --force]

Prerequisites: Endpoint, Login

Command options:

NAME (required)

Name of the API key to be unlocked, exclusive with UUID

UUID (required)

UUID of the API key to be unlocked, exclusive with NAME

-f, --force

Force unlock without confirmation.

Examples:

Unlock API key test-api-key

ibmcloud iam api-key-unlock test-api-key

Unlock API key with given UUID without confirmation

ibmcloud iam api-key-unlock ApiKey-18f773b0-db53-43f1-ad68-92c667c218fe --force

{: #ibmcloud_iam_service_api_keys}

List all API keys of a service

ibmcloud iam service-api-keys (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

-f, --force

Display service API keys without confirmation

Examples:

List all API keys of service sample-service :

ibmcloud iam service-api-keys sample-service

{: #ibmcloud_iam_service_api_key}

List details of a service API key

ibmcloud iam service-api-key (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [--uuid] [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

--uuid

Display the UUID of service API key

-f, --force

Display service API key without confirmation

Examples:

Show details of service API key sample-key of service sample-service :

ibmcloud iam service-api-key sample-key sample-service

{: #ibmcloud_iam_service_api_key_create}

Create a service API key

ibmcloud iam service-api-key-create NAME (SERVICE_ID_NAME|SERVICE_ID_UUID) [-d, --description DESCRIPTION] [--file FILE] [-f, --force] [--lock]

Prerequisites: Endpoint, Login, Target

Command Options:

NAME (required)

Name of the service ID or newly created service API key

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

-d, --description

Description of the API key

--file

Save API key information to the specified file.

-f, --force

Force creation without confirmation

Examples:

Create a service API key sample-key for service sample-service without confirmation:

ibmcloud iam service-api-key-create sample-key sample-service -f

{: #ibmcloud_iam_service_api_key_update}

Update a service API key

ibmcloud iam service-api-key-update (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID)  [-n, --name NEW_NAME] [-d, --description DESCRIPTION] [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

-n, --name

New name of the service API key

-d, --description

New description of the service API key

-f, --force

Update without confirmation

Examples:

Rename service API key sample-key to new-sample-key :

ibmcloud iam service-api-key-update sample-key sample-service -n new-sample-key

{: #ibmcloud_iam_service_api_key_delete}

Delete a service API key

ibmcloud iam service-api-key-delete (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

-f, --force

Delete without confirmation

Examples:

Delete service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-delete sample-key sample-service

{: #ibmcloud_iam_service_api_key_lock}

Lock a service API key

ibmcloud iam service-api-key-lock (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

-f, --force

Lock without confirmation

Examples:

Lock service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-lock sample-key sample-service

{: #ibmcloud_iam_service_api_key_unlock}

Unlock a service API key

ibmcloud iam service-api-key-unlock (APIKEY_NAME|APIKEY_UUID) (SERVICE_ID_NAME|SERVICE_ID_UUID) [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

APIKEY_NAME (required)

Name of the API key, exclusive with APIKEY_UUID

APIKEY_UUID (required)

UUID of the API key, exclusive with APIKEY_NAME

SERVICE_ID_NAME (required)

Name of the service ID, exclusive with SERVICE_ID_UUID

SERVICE_ID_UUID (required)

UUID of the service ID, exclusive with SERVICE_ID_NAME

-f, --force

Unlock without confirmation

Examples:

Unlock service API key sample-key of service ID sample-service:

ibmcloud iam service-api-key-unlock sample-key sample-service

{: #ibmcloud_iam_user_policies}

List policies of user name@example.com:

ibmcloud iam user-policies name@example.com

Prerequisites: Endpoint, Login, Account Targeted

Command options:

USER_NAME (required)

User name to whom the policies belong

Examples:

List policies of user name@example.com:

ibmcloud iam user-policies name@example.com

{: #ibmcloud_iam_user_policy}

Display details of a user policy

ibmcloud iam user-policy USER_NAME POLICY_ID

Prerequisites: Endpoint, Login, Account Targeted

Command options:

USER_NAME (required)

User name to whom the policy belongs

POLICY_ID (required)

ID of the policy

Examples:

List policy 0bb730daa of user name@example.com:

ibmcloud iam user-policy name@example.com 0bb730daa

{: #ibmcloud_iam_user_policy_create}

Create a user policy

ibmcloud iam user-policy-create USER_NAME {--file JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

Prerequisites: Endpoint, Login, Account Targeted

Command options:

USER_NAME (required)

User name to whom the policy belongs to

--file FILE (optional)

JSON file of policy definition

--roles ROLE_NAME1,ROLE_NAME2... (optional)

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

--service-name SERVICE_NAME (optional)

Service name of the policy definition, This is exclusive with '--file' flag.

--serivce-instance SERVICE_INSTANCE_GUID (optional)

GUID of service instance of the policy definition, This is exclusive with '--file' flag.

--region REGION (optional)

Region of the policy definition, This is exclusive with '--file' flag.

--resource-type RESOURCE_TYPE (optional)

Resource type of the policy definition, This is exclusive with '--file' flag.

--resource RESOURCE (optional)

Resource of the policy definition, This is exclusive with '--file' flag.

--resource-group-name RESOURCE_GROUP_NAME (optional)

Name of the resource group, This is exclusive with '--file', '--resource' and '--resource-group-id' flags.

--resource-group-id RESOURCE_GROUP_ID (optional)

ID of the resource group, This is exclusive with '--file', '--resource' and '--resource-group-name' flags.

Examples:

Create user policy for user name@example.com from policy JSON file policy.json:

ibmcloud iam user-policy-create name@example.com --file @policy.json

Give name@example.com Administrator role for all sample-service resources:

ibmcloud iam user-policy-create name@example.com --roles Administrator --service-name sample-service

Give name@example.com Editor role for resource key123 of sample service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam user-policy-create name@example.com --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Give name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Give name@example.com Viewer role for the members of resource group sample-resource-group:

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-group-name sample-resource-group

Give name@example.com Viewer role for the members of resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

{: #ibmcloud_iam_user_policy_update}

Update a user policy

ibmcloud iam user-policy-update USER_NAME POLICY_ID {--file JSON_FILE | [--roles ROLE_NAME1,ROLE_NAME2...] [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

Prerequisites: Endpoint, Login, Account Targeted

Command options:

Examples:

Update user policy with the one in JSON file：

ibmcloud iam user-policy-update name@example.com 0bb730daa --file @policy.json

Update user policy to give name@example.com Administrator role for all sample-service resources：

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Administrator --service-name sample-service

Update user policy to give name@example.com Editor role for resource key123 of sample service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam user-policy-update name@example.com --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Update user policy to give name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Update user policy to give name@example.com Viewer role for members of resource group sample-resource-group:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --resource-group-name sample-resource-group

Update user policy to give name@example.com Viewer role for members of resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-update name@example.com user-policy-id --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

{: #ibmcloud_iam_user_policy_delete}

Delete a user policy

ibmcloud iam user-policy-delete USER_ID POLICY_ID [-f, --force]

Prerequisites: Endpoint, Login, Account Targeted

Command Options:

-f, --force

Delete user policy without confirmation

Examples: Delete policies user-policy-id of user name@example.com:

ibmcloud iam user-policy-delete name@example.com user-policy-id

Delete policies user-policy-id of user name@example.com without confirmation:

ibmcloud iam user-policy-delete name@example.com user-policy-id -f

{: #ibmcloud_iam_service_policies}

List all service policies of specified service

ibmcloud iam service-policies SERVICE_ID [--output FORMAT] [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

SERVICE_ID (required)

Name or UUID of service ID

--output FORMAT (optional)

Specify service policies output format, only JSON is supported now.

-f, --force (optional)

Display service policies without confirmation

Examples:

List policies of service test:

ibmcloud iam service-policies test

List policies of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policies ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

{: #ibmcloud_iam_service_policy}

Display details of a service policy

ibmcloud iam service-policy SERVICE_ID POLICY_ID [--output FORMAT] [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

SERVICE_ID (required)

Name or UUID of service ID

POLICY_ID (required)

ID of the service policy

--output FORMAT (optional)

Specify service policy output format, only JSON is supported now.

-f, --force (optional)

Display service policy without confirmation

Examples:

Show policy 140798e2-8ea7db3 of service test:

ibmcloud iam service-policies test 140798e2-8ea7db3

Show policy 140798e2-8ea7db3 of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policies ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3

{: #ibmcloud_iam_service_policy_create}

Create a service policy

ibmcloud iam service-policy-create SERVICE_ID {--file JSON_FILE | -r, --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]} [-f, --force]",

Prerequisites: Endpoint, Login, Target

Command Options:

SERVICE_ID (required)

Name or UUID of service ID

--file

JSON file of policy definition. This is exclusive with '-r, --roles', '--service-name', '--service-instance', '--region', '--resource-type', '--resource', '--resource-group-name' and '--resource-group-id' flags.

-r, --roles

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

--service-name

Service name of the policy definition. This is exclusive with '--file' flag.

--service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This is exclusive with '--file' flag.

-region

Region of the policy definition. This is exclusive with '--file' flag.

--resource-type

Resource type of the policy definition. This is exclusive with '--file' flag.

--resource

Resource of the policy definition. This is exclusive with '--file' flag.

--resource-group-name

Name of the resource group. This option is exclusive with '--file' and '--resource-group-id'.

--resource-group-id

ID of the resource group. This option is exclusive with '--file' and '--resource-group-name'.

-f, --force

Create service policy without confirmation

Examples:

Create service policy from JSON file for service test:

ibmcloud iam service-policy-create test --file @policy.json

Create service policy from JSON file for service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policy-create ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 --file @policy.json

{: #ibmcloud_iam_service_policy_update}

Update a service policy

ibmcloud iam service-policy-update SERVICE_ID POLICY_ID {--file JSON_FILE | [-r, --roles ROLE_NAME1,ROLE_NAME2...] [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]} [-f, --force]",

Prerequisites: Endpoint, Login, Target

Command Options:

SERVICE_ID (required)

Name or UUID of service ID

POLICY_ID (required)

ID of the service policy

--file

JSON file of policy definition. This is exclusive with '-r, --roles', '--service-name', '--service-instance', '--region', '--resource-type', '--resource', 'resource-group-name' and 'resource-group-id' flags.

-r, --roles

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

-service-name

Service name of the policy definition. This is exclusive with '--file' flag.

-service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This is exclusive with '--file' flag.

-region

Region of the policy definition. This is exclusive with '--file' flag.

-resource-type

Resource type of the policy definition. This is exclusive with '--file' flag.

-resource

Resource of the policy definition. This is exclusive with '--file' flag.

--resource-group-name

Name of the resource group. This option is exclusive with '--file' and '--resource-group-id'.

--resource-group-id

ID of the resource group. This option is exclusive with '--file' and '--resource-group-name'.

-f, --force

Update service policy without confirmation

Examples:

Update service policy 140798e2-8ea7db3 from JSON file for service test:

ibmcloud iam service-policy-update test 140798e2-8ea7db3 --file @policy.json

Update service policy 140798e2-8ea7db3 from JSON file for service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976:

ibmcloud iam service-policy-update ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3 --file @policy.json

{: #ibmcloud_iam_service_policy_delete}

Delete a service policy

ibmcloud iam service-policy-delete SERVICE_ID POLICY_ID [-f, --force]

Prerequisites: Endpoint, Login, Target

Command Options:

SERVICE_ID (required)

Name or UUID of service ID

POLICY_ID (required)

ID of the service policy

-f, --force

Delete without confirmation

Examples:

Delete policy 140798e2-8ea7db3 of service test

ibmcloud iam service-policy-delete test 140798e2-8ea7db3

Delete policy 140798e2-8ea7db3 of service ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976

ibmcloud iam service-policy-delete ServiceId-cb258cb9-8de3-4ac0-9aec-b2b2d27ac976 140798e2-8ea7db3

{: #ibmcloud_iam_oauth_tokens}

Retrieve and display the OAuth tokens for the current session

ibmcloud iam oauth-tokens

Prerequisites: Login, Target

Command Options:

Examples:

Refresh and display OAuth tokens

ibmcloud iam oauth-tokens

{: #ibmcloud_iam_dedicated_id_disconnect}

Disconnect the public IBMid with dedicated non-IBMid

ibmcloud iam dedicated-id-disconnect [-f, --force]

Prerequisites: Login, Target

Command Options:

-f, --force

Force disconnect without confirmation

{: #ibmcloud_iam_authorization_policy_create}

Create an authorization policy to allow a service instance access to another service instance.

ibmcloud iam authorization-policy-create SOURCE_SERVICE_NAME TARGET_SERVICE_NAME ROLE_NAME1,ROLE_NAME2... [—-source-service-instance SOURCE_SERVICE_INSTANCE_NAME] [—-target-service-instance TARGET_SERVICE_INSTANCE_NAME]

Prerequisites: Login, Target

Command Options:

SOURCE_SERVICE_NAME

Source service that can be authorized to access.

TARGET_SERVICE_NAME

Target service that the source service can be authorized to access.

ROLE_NAME1,ROLE_NAME2...

The roles that provide access for the source service.

—-source-service-instance SOURCE_SERVICE_INSTANCE_NAME

Source service instance name, if not specified, all instances of the source service will be authorized to access.

—-target-service-instance TARGET_SERVICE_INSTANCE_NAME

Target service instance name, if not specified, all instances of the target service will be authorized to access.

{: #ibmcloud_iam_authorization_policy_delete}

Delete an authorization policy.

ibmcloud iam authorization-policy-delete AUTHORIZATION_POLICY_ID [-f, --force]

Prerequisites: Login, Target

Command Options:

AUTHORIZATION_POLICY_ID

ID of authorization policy to be deleted.

-f, --force

Force delete without confirmation.

{: #ibmcloud_iam_authorization_policy}

Show details of an authorization policy.

ibmcloud iam authorization-policy AUTHORIZATION_POLICY_ID

Prerequisites: Login, Target

Command Options:

AUTHORIZATION_POLICY_ID

ID of authorization policy to show.

{: #ibmcloud_iam_authorization_policies}

List authorization policies under the current account.

ibmcloud iam authorization-policies

Prerequisites: Login, Target

{: #ibmcloud_iam_access_groups}

List access groups under current account

ibmcloud iam access-groups [-u USER_NAME | -s SERVICE_ID_NAME]

Prerequisites: Endpoint, Login

Command Options:

-u

List access groups the user belongs to. This flag is exclusive to '-s'.

-s

List access groups the service ID belongs to. This flag is exclusive to '-u'.

Examples:

List all access groups:

ibmcloud iam access-groups

{: #ibmcloud_iam_access_group}

Show details of an access group

ibmcloud iam access-group GROUP_NAME [--id]

Prerequisites: Endpoint, Login

Command Options:

-id

Show ID only

Examples:

Show details of access group example_group:

ibmcloud iam access-group example_group

{: #ibmcloud_iam_access_group_create}

Create an access group

ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]

Prerequisites: Endpoint, Login

Command Options:

-d, --description

Description of access group

Examples:

Create an access group example_group:

ibmcloud iam access-group-create example_group -d "example access group"

{: #ibmcloud_iam_access_group_update}

Update an access group

ibmcloud iam access-group-update GROUP_NAME [-n, --name NEW_NAME] [-d, --description NEW_DESCRIPTION] [-f, --force]

Prerequisites: Endpoint, Login

Command Options:

-n, --name

New access group name

-d, --description

New description

-f, --force

Force update without confirmation

Examples:

Rename access group example_group to hello_world_group:

ibmcloud iam access-group-update example_group --name "hello_world_group"

{: #ibmcloud_iam_access_group_delete}

Delete an access group

ibmcloud iam access-group-delete GROUP_NAME [-f, --force] [-r, --recursive]

Prerequisites: Endpoint, Login

Command Options:

-f, --force

Force deletion without confirmation

-r, --recursive

Delete access group and its members

Examples:

Delete access group example_group:

ibmcloud iam access-group-delete example_group --force

{: #ibmcloud_iam_access_group_users}

List users in an access group

ibmcloud iam access-group-users GROUP_NAME

Prerequisites: Endpoint, Login

Command Options:

Examples:

List all users in access group example_group:

ibmcloud iam access-group-users example_group

{: #ibmcloud_iam_access_group_user_add}

Add user(s) to an access group

ibmcloud iam access-group-user-add GROUP_NAME USER_NAME [USER_NAME2...]

Prerequisites: Endpoint, Login

Command Options:

Examples:

Add user name@example.com to access group example_group:

ibmcloud iam access group-user-add example_group name@example.com

{: #ibmcloud_iam_access_group_user_remove}

Remove a user from an access group

ibmcloud iam access-group-user-remove GROUP_NAME USER_NAME

Prerequisites: Endpoint, Login

Command Options:

Examples:

Remove user name@example.com from access group example_group:

ibmcloud iam access-group-user-remove example_group name@example.com

{: #ibmcloud_iam_access_group_user_purge}

Remove user from all access groups

ibmcloud iam access-group-user-purge USER_NAME [-f, --force]

Prerequisites: Endpoint, Login

Command Options:

-f, --force

Delete without confirmation

Examples:

Remove user name@example.com from all access groups:

ibmcloud iam access-group-user-purge name@example.com -f

{: #ibmcloud_iam_access_group_service_ids}

List service IDs in an access group

ibmcloud iam access-group-service-ids GROUP_NAME

Prerequisites: Endpoint, Login

Command Options:

Examples:

List all service IDs in access group example_group:

ibmcloud iam access-group-service-ids example_group

{: #ibmcloud_iam_access_group_service_id_add}

Add service ID to an access group

ibmcloud iam access-group-service-id-add GROUP_NAME SERVICE_ID_NAME [SERVICE_ID_NAME2...]

Prerequisites: Endpoint, Login

Command Options:

Examples:

Add service ID example-service to access group example_group:

ibmcloud iam access-group-service-id-add example_group example-service

{: #ibmcloud_iam_access_group_service_id_remove}

Remove a service ID from an access group

ibmcloud iam access-group-service-id-remove GROUP_NAME SERVICE_ID_NAME

Prerequisites: Endpoint, Login

Command Options:

Examples:

Remove service ID example-service from access group example_group:

ibmcloud iam access-group-service-id-remove example_group example-service

{: #ibmcloud_iam_access_group_service_id_purge}

Remove service ID from all access groups

ibmcloud iam access-group-service-id-purge SERVICE_ID_NAME [-f, --force]

Prerequisites: Endpoint, Login

Command Options:

-f, --force

Delete without confirmation

Examples:

Remove service ID example-service from all access groups:

ibmcloud iam access-group-service-id-purge example --force

{: #ibmcloud_iam_access_group_policies}

List policies of an access group

ibmcloud iam access-group-policies GROUP_NAME

Prerequisites: Endpoint, Login

Command Options:

Examples:

List all policies of access group example_group:

ibmcloud iam access-group-policies example_group

{: #ibmcloud_iam_access_group_policy}

Show details of an access group policy

ibmcloud iam access-group-policy GROUP_NAME POLICY_ID

Prerequisites: Endpoint, Login

Command Options:

Examples:

Show details of policy 51b9717e-76b0-4f6a-bda7-b8132431f926 of access group example_group:

ibmcloud iam access-group-policy example_group 51b9717e-76b0-4f6a-bda7-b8132431f926

{: #ibmcloud_iam_access_group_policy_create}

Create an access group policy

ibmcloud iam access-group-policy-create GROUP_NAME {--file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

Prerequisites: Endpoint, Login

Command Options:

--file

JSON file of policy definition

-roles

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

-service-name

Service name of the policy definition. This option is exclusive with '--file'.

-service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with '--file'.

-region

Region of the policy definition. This option is exclusive with '--file'.

-resource-type

Resource type of the policy definition. This option is exclusive with '--file'.

-resource

Resource of the policy definition. This option is exclusive with '--file'.

-resource-group-name

Name of the resource group. This option is exclusive with '--file' and '--resource-group-id'.

-resource-group-id

ID of the resource group. This option is exclusive with '--file' and '--resource-group-name'.

Examples:

Create an access group policy from a JSON file:

ibmcloud iam access-group-policy-create example_group -f @policy.json

Give example_group Administrator role for all sample-service resources:

ibmcloud iam access-group-policy-create example_group --roles Administrator --service-name sample-service

Give example_group Editor role for resource key123 of sample-service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam access-group-policy-create example_group --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south --resource-type key --resource key123

Give example_group Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-create example_group --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Give example_group Viewer role for the members of resource group sample-resource-group:

ibmcloud iam access-group-policy-create example_group --roles Viewer --resource-group-name sample-resource-group

Give example_group Viewer role for the members of resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-create example_group --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

{: #ibmcloud_iam_access_group_policy_update}

Update an access group policy

ibmcloud iam access-group-policy-update GROUP_NAME POLICY_ID {--file JSON_FILE | [--roles ROLE_NAME1,ROLE_NAME2...] [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE_GUID] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

Prerequisites: Endpoint, Login

Command Options:

--file

JSON file of policy definition

--roles

Role names of the policy definition. For supported roles of a specific service, run 'ibmcloud iam roles --service SERVICE_NAME'. This option is exclusive with '--file'.

-service-name

Service name of the policy definition. This option is exclusive with '--file'.

-service-instance SERVICE_INSTANCE_GUID

GUID of service instance of the policy definition. This option is exclusive with '--file'.

-region

Region of the policy definition. This option is exclusive with '--file'.

-resource-type

Resource type of the policy definition. This option is exclusive with '--file'.

-resource

Resource of the policy definition. This option is exclusive with '--file'.

-resource-group-name

Name of the resource group. This option is exclusive with '--file' and '--resource-group-id'.

-resource-group-id

ID of the resource group. This option is exclusive with '--file' and '--resource-group-name'.

Examples:

Update access group policy with the one in policy JSON file:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 -f @policy.json

Update access group policy to give example_group Administrator role for all sample-service resources:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Administrator --service-name sample-service

Update access group policy to give example_group Editor role for resource key123 of sample-service instance with GUID d161aeea-fd02-40f8-a487-df1998bd69a9 in us-south region:

ibmcloud iam access-group-policy-update example_group --roles Editor --service-name sample-service --service-instance d161aeea-fd02-40f8-a487-df1998bd69a9 --region us-south

Update access group policy to give example_group Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Update access group policy to give example_group Viewer role for members of resource group sample-resource-group:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --resource-group-name sample-resource-group

Update access group policy to give example_group Viewer role for members of resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam access-group-policy-update example_group b8638ceb-5c4d-4d58-ae06-7ad95a10c4d4 --roles Viewer --resource-group-id dda27e49d2a1efca58083a01dfde18f6

{: #ibmcloud_iam_access_group_policy_delete}

Delete an access group policy

ibmcloud iam access-group-policy-delete GROUP_NAME POLICY_ID [-f, --force]

Prerequisites: Endpoint, Login

Command Options:

-f, --force

Force deletion without confirmation

Examples:

Delete policy 51b9717e-76b0-4f6a-bda7-b8132431f926 of access group example_group:

ibmcloud iam access-group-policy-delete example_group 51b9717e-76b0-4f6a-bda7-b8132431f926 -f