2) IBM COS (IAM) authentication with application configuration

IBMStreams com.ibm.streamsx.objectstorage Toolkit > com.ibm.streamsx.objectstorage 2.2.5 > com.ibm.streamsx.objectstorage > ObjectStorageScan > Supported Authentication Schemes > IAM authentication > 2) IBM COS (IAM) authentication with application configuration

Create IBM Cloud Object Storage Credentials

A service credential provides the necessary information to connect an application to Object Storage packaged in a JSON document. Service credentials are always associated with a Service ID, and new Service IDs can be created along with a new credential.

Use the following steps to create a service credential:

  1. Log in to the IBM Cloud console and navigate to your instance of Object Storage.
  2. In the side navigation, click Service Credentials.
  3. Click New credential and provide the necessary information.
  4. Click Add to generate service credential.
  5. Click View credentials and copy JSON into clipboard.

This is an example of a service credential: 

{
     "apikey": "0viPHOY7LbLNa9eLftrtHPpTjoGv6hbLD1QalRXikliJ",
     "endpoints": "https://cos-service.bluemix.net/endpoints",
     "iam_apikey_description": "Auto generated apikey during resource-key operation for Instance - crn:v1:bluemix:public:cloud-object-storage:global:a/3ag0e9402tyfd5d29761c3e97696b71n:d6f74k03-6k4f-4a82-b165-697354o63903::",
     "iam_apikey_name": "auto-generated-apikey-f9274b63-ef0b-4b4e-a00b-b3bf9023f9dd",
     "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
     "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/3ag0e9402tyfd5d29761c3e97696b71n::serviceid:ServiceId-540a4a41-7322-4fdd-a9e7-e0cb7ab760f9",
     "resource_instance_id": "crn:v1:bluemix:public:cloud-object-storage:global:a/3ag0e9402tyfd5d29761c3e97696b71n:d6f74k03-6k4f-4a82-b165-697354o63903::"
}

Save Credentials in Application Configuration Property

With this option, users can copy their IBM Cloud Object Storage Credentials JSON from the IBM Cloud Object Storage service and store it in an application configuration property called cos.creds. When the operator starts, it will look for that property and extract the information needed to connect. The following steps outline how this can be done:

  1. Create an application configuration called cos.
  2. Create a property in the cos application configuration named cos.creds.
    • The value of the property should be the raw IBM Cloud Object Storage Credentials JSON
    • The value of the property could be pasted from the clipboard if you have done the Create IBM Cloud Object Storage Credentials steps above.
  3. The operator will automatically look for an application configuration named cos and will extract the information needed to connect.

This is an example of an application configuration in Streams Console:

From the cos.creds JSON the apikey (IAMApiKey) and resource_instance_id (IAMServiceInstanceId) are extracted by the operator. The auth endpoint value (IAMTokenEndpoint) is extracted from the endpoints URL provided as part of the service credentials. With the endpoints URL a JSON is retrieved and /oidc/token is added to end of the iam-token URL to construct the IAMTokenEndpoint. 

{
   "identity-endpoints": {
      "iam-token": "iam.bluemix.net",
      "iam-policy": "iampap.bluemix.net"
},
...