search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
341 stars 670 forks source link

Ability to generate IBM Cloud API key for users and service IDs #1797

Closed l2fprod closed 3 years ago

l2fprod commented 4 years ago

My terraform script invites users and creates service IDs. I also need to generate API keys for these users and service IDs. This capability seems to be missing from the terraform provider.

AWS (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key), Google Cloud (https://www.terraform.io/docs/providers/google/r/google_service_account_key.html) have such capability.

Should be the equivalent of ibmcloud iam api-key-create and ibmcloud iam service-api-key-create.

kjoconnor commented 4 years ago

I would love this - looks like someone else asked for it way back in https://github.com/IBM-Cloud/terraform-provider-ibm/issues/666 over a year ago so not sure if it's happening any time soon though :(

data-henrik commented 4 years ago

I posted a workaround to Stack Overflow: https://stackoverflow.com/questions/63557050/ibm-cloud-and-terraform-how-to-create-and-download-api-key

kjoconnor commented 4 years ago

Thanks for sharing, where are you getting data.ibm_iam_auth_token.iam_tokendata.iam_access_token in that example?

data-henrik commented 4 years ago

@kjoconnor https://cloud.ibm.com/docs/terraform?topic=terraform-iam-data-sources#iam-token

kavya498 commented 3 years ago

https://github.com/IBM-Cloud/terraform-provider-ibm/pull/2519

kavya498 commented 3 years ago

Available in latest

wahaha2001 commented 3 years ago

Thanks for sharing. I try to use this new feature but not sure how to get the api-key vaule to be stored in a KeyProtect key entry. Any tips? 

resource "ibm_iam_service_id" "test-service-id" {
  name        = "test-service-id"
  description = "For test"
}

resource "ibm_iam_service_api_key" "test-apikey" {
  name = "test-apikey"
  iam_service_id = ibm_iam_service_id.test-service-id.iam_id
}

Not sure how to retrieve the api key vaule then store it in KeyProtect. I think below script block should not work as expected.

resource "ibm_kp_key" "kp_test_api_key" {
  key_protect_id = ibm_resource_instance.kp_test.guid
  key_name       = "TEST_API_KEY"
  payload        = base64encode(ibm_iam_service_api_key.test-apikey)
  standard_key   = true
  force_delete   = true
}
kavya498 commented 3 years ago 
resource "ibm_iam_service_api_key" "test-apikey" {
  name = "test-apikey"
  iam_service_id = ibm_iam_service_id.test-service-id.iam_id
}

ibm_iam_service_api_key.test-apikey.apikey gives you the value of API key value..

But, We are not sure what do you mean by storing api key in Key Protect

data-henrik commented 3 years ago

Take a look here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/kp_key You can store anything encoded as KP key.

wahaha2001 commented 3 years ago

@kavya498 @data-henrik, thanks, the usage "ibm_iam_service_api_key.test-apikey.apikey" is what I am seeking :)