Step 1: Create a Cloud Object Storage instance and several buckets

1. From the IBM Cloud catalog, search for Object Storage, then create a Cloud Object Storage instance.

2. Select Buckets in the navigation pane.

3. Create as many buckets as you need.

   For example, create three buckets: dept1-bucket, dept2-bucket, and dept3-bucket.

   

Step 2: Create a service credential and Service ID for each combination of buckets that you want users to be able to access

1. Select Service credentials in the navigation pane.

2. Click New Credential.

3. In the Add new credential dialog, provide a name for the credential and select the appropriate access role.

4. Within the Select Service ID field, click Create New Service ID.

5. Enter a name for the new service ID. We recommend using the same or a similar name to that of the credential for easy identification.

6. Click Add.

7. Repeat steps 2 to 6 for each credential that you want to create.

   For example, create three credentials: cos-all-access, dept1-dept2-buckets-only, and dept2-dept3-buckets-only.

   

Step 3: Verify that the service IDs were created

1. In the IBM Cloud page header, click Manage > Access (IAM).

2. Select Service IDs in the navigation pane.

3. Confirm that the service IDs you created in steps 2d and 2e are visible.

   

Step 4: Edit the policies of each service ID to provide access to the appropriate buckets

1. Open each service ID in turn.

2. On the Access policies tab, select Edit from the Actions menu to view the policy.

3. If necessary, edit the policy to provide access to the appropriate buckets.

4. If needed, create one or more new policies.

   1. Remove the existing, default policy which provides access to all of the buckets in the Cloud Object Storage instance.

   2. Click Assign access.

   3. For Resource type, specify "bucket".

   4. For Resource ID, specify a bucket name.

   5. In the Select roles section, select Viewer from the "Assign platform access roles" list and select Writer from the "Assign service access roles" list.

Step 5: Copy values from each of the service credentials that you created

1. Return to your IBM Cloud Dashboard and select Cloud Object Storage from the Storage list.

2. Select Service credentials in the navigation pane.

3. Click the View credentials action for one of the service IDs that you created in step 2.

4. Copy the "apikey" value and the "resource_instance_id" value to a temporary location, such as a desktop note.

   

   

5. Repeat steps 3 and 4 for each credential.

Step 6: Copy the Endpoint

1. Select Endpoint in the navigation pane.

2. Copy the URL of the endpoint that you want to connect to. Save the value to a temporary location, such as a desktop note.

Step 7: Add Cloud Object Storage connections that use the service credentials that you created

1. Return to your project on the Assets tab, and click New asset > Connect to a data source..

2. On the New connection page, click Cloud Object Storage.

3. Name the new connection and enter the login URL (from the Endpoints page) as well as the "apikey" and "resource_instance_id" values that you copied in step 5 from one of the service credentials.

4. Repeat steps 3 to 5 for each service credential.

   The connections will be visible in the Data assets section of the project.

Test users' access to buckets

Going forward, when you add a data asset from a Cloud Object Storage connection to a project, you'll see only the buckets that the policies allow you to access. To test this:

1. From a project, click Import assets > Connected data. Or from a catalog, click Add to catalog > Connected asset.

2. In the Connection source section, click Select source.

   On the Select connection source page, you can see the Cloud Object Storage connections that you created.

3. Select one of the Cloud Object Storage connections to see that only the buckets accessible to the service ID associated with that bucket's credential are visible.

Parent topic: IBM Cloud Object Storage connection