Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service
An IBM Cloud Object Storage service instance is provisioned automatically with a Lite plan when you sign up for Cloud Pak for Data as a Service. Projects, catalogs, and deployment spaces in Cloud Pak for Data as a Service require IBM Cloud Object Storage to store files that are related to assets, including uploaded data files or notebook files.
You can also connect to IBM Cloud Object Storage as a data source. See IBM Cloud Object Storage connection.
Within a Cloud Object Storage instance, containers called buckets hold objects for use by projects, catalogs, and deployment spaces. Buckets can be individually configured in terms of their location, resiliency, billing rates, security, and object lifecycle rules.
Catalogs and deployment spaces create regional buckets in the same region as the service instance. However, project files are stored by default in Cross Region Cloud Object Storage buckets. With Cross Region buckets, the project files can potentially be stored in a different region than where the service instance resides.
You can force Regional buckets for projects to keep your project files in the same region as your Watson Studio service by setting Regional project storage to On. See Managing your account settings.
Steps for setting up IBM Cloud Object Storage
Tasks for the IBM Cloud account owner or administrator are:
- Generate an administrative key.
- Enable storage delegation for non-administrative users.
- Enable the Global location in your account profile. Cloud Object Storage requires the Global location.
- Optional. Encrypt your IBM Cloud Object Storage instance with your own key.
- Optional. Provide more security.
Step 1: Generate an administrative key
You must generate an administrative key for Cloud Object Storage. You can generate the key automatically by creating a project.
To automatically generate the administrative key for your Cloud Object Storage instance:
- From the Cloud Pak for Data as a Service main menu, select Projects > View all projects and then click New project.
- Specify to create an empty project.
- Enter a project name, such as "Test Project".
- Select your Cloud Object Storage instance.
- Click Create. The administrative key is generated and you can delete the project.
The Test Project is required to generate the administrative key for first-time use. It is no longer needed after the key is generated.
Step 2: Enable storage delegation for non-administrative users
Storage delegation for the Cloud Object Storage instance is required to allow non-administrative users to create workspaces. If you do not enable storage delegation for projects and catalogs in the Cloud Object Storage instance, then only the IBM Cloud account owner and administrators have permission to create workspaces. Storage delegation for projects also includes deployment spaces.
Follow these steps to enable storage delegation for the Cloud Object Storage instance:
- From the Cloud Pak for Data as a Service main menu, select Administration > Storage delegation.
- Enable storage delegation for projects and catalogs for the Cloud Object Storage instance.
Step 3: (Optional) Encrypt your IBM Cloud Object Storage instance with your own key
Data at rest in Cloud Object Storage is encrypted by default by using randomly generated keys that are managed by IBM. However, you might want to create and manage your own encryption keys by using IBM Key Protect. For instructions on how to integrate Key Protect with Cloud Object Storage, see Integrating with IBM Cloud Object Storage.
To encrypt your Cloud Object Storage instance with your own key, you need an instance of the IBM Key Project service. IBM Key Protect for IBM Cloud is a centralized key management system for generating, managing, and destroying encryption keys used by IBM Cloud services.
In IBM Cloud, prepare Key Protect:
- Create an instance of Key Protect from the IBM Cloud catalog.
- Create a root key to use for your Cloud Object Storage instance.
- Grant a service authorization between your Key Protect instance and your Cloud Object Storage instance. Do not associate a key with a bucket. If you don't grant the authorization, users cannot create projects and catalogs with the Cloud Object Storage instance. For more information, see Using authorizations to grant access between services.
You can also grant a service authorization for a root key from Watson Studio, by choosing Manage > Access (IAM).
If you change or remove the key, you lose access to existing encrypted data in the Cloud Object Storage instance.
Step 4: (Optional) Provide more security
You can provide more protection for the data that is stored in Cloud Object Storage by using role-based access controls (IAM) and Service IDs. For more information about security constraints for the data stored in Cloud Object Storage, see Data security.
Finish the remaining steps for setting up the platform.
Parent topic: Setting up Watson Knowledge Catalog