Search code examples
ibm-cloudcontainer-registryibm-cloud-code-engine

IBM Cloud: Least privileges for service ID that needs to update a Code Engine app?

I am using IBM Cloud Code Engine to deploy my containerized apps. Now, I would like to use a service ID (or its API key) to run a toolchain and within to update an already existing app. What privileges are needed to push the new container image to a private registry and to update the app from that image?

Solution

  • It seems the following privileges are needed. They can be created as access policies within an IBM Cloud IAM access group. The service ID is then added to that access group.

    • Viewer on resources limited to the resource group with the Code Engine project. That way, the resource group can be set and the project be seen.
    • Operator and Writer for Container Registry, to be able to push a new container image.
    • Operator and Writer for Code Engine, scoped to just the project, to be able to update the app.

    With the above privileges my pipeline could run successfully.