Configuring Cloud Object Storage for project and catalog creation

As an IBM Cloud account owner or administrator, you can configure your Cloud Object Storage instance for projects and catalogs on the Storage Delegation page:

Enable non-administrative users to create projects and catalogs

By default, only the owner or administrators of an IBM Cloud Object Storage instance have permission to associate it with a project or catalog. As the owner or administrator of a Cloud Object Storage instance, you can configure your Cloud Object Storage instance to allow all IBM Watson users to create projects or catalogs with it. This configuration does not change user roles on the Cloud Object Storage instance in IBM Cloud.

To allow IBM Watson users to create projects or catalogs with a Cloud Object Storage instance, in Watson Studio:

  1. Choose Manage > Storage Delegation.
  2. Enable project or catalog creation for your Cloud Object Storage instance.

Disabling project or catalog creation for a Cloud Object Storage instance does not affect existing projects or catalogs that use that instance.

Encrypt your Cloud Object Storage instance with your own key

Data at rest in Cloud Object Storage is encrypted by default using randomly generated keys and managed by IBM. However, you might want to implement customer-managed encryption for IBM Cloud Object Storage so that you can create and manage your own keys. Not all Watson Studio and Watson Knowledge Catalog plans support using your own encryption keys.

To encrypt your Cloud Object Storage instance with your own key, you need an instance of the IBM Key Project service. IBM Key Protect for IBM Cloud is a centralized key management system for generating, managing, and destroying encryption keys used by IBM Cloud services.

In IBM Cloud, prepare Key Protect:

  1. Create an instance of Key Protect from the IBM Cloud catalog.
  2. Create a root key to use for your Cloud Object Storage instance.
  3. Grant a service authorization between your Key Protect instance and your Cloud Object Storage instance. Do not associate a key with a bucket. If you don’t grant the authorization, users won’t be able to create projects and catalogs with the Cloud Object Storage instance. You can also grant a service authorization for a root key from Watson Studio, by choosing Manage > Access (IAM).

If you change or remove the key, you will lose access to existing encrypted data in the Cloud Object Storage instance.

Next step

Assign Watson Knowledge Catalog app administrators