Build Service ID and API key configurations for programmatic access to IBM Cloud services.
Last verified: May 2026
Build Service ID configurations with API keys and access policies for programmatic access to IBM Cloud services.
Required Fields
nameaccountIdapiKeysOutput will appear here...The builder collects the service ID name, description, scope (account or resource group), and attached access policies. For each policy it validates the role (Viewer, Editor, Administrator, or service-specific roles) against the chosen service and resource. Output is an `ibm_iam_service_id` Terraform resource plus `ibm_iam_service_policy` resources for each attached policy and an `ibm_iam_service_api_key` resource for the API key.
IBM Cloud Service IDs are non-human principals — like AWS IAM roles or GCP service accounts — used by applications, CI/CD pipelines, and scheduled jobs. The IBM IAM Service ID Builder produces complete service ID definitions including the principal, attached access policies, and API keys (with rotation guidance) so an application can authenticate without using a human user's credentials.
Your team's daily Jenkins job uses a shared 'cicd' user's API key to deploy to IBM Cloud. The user belongs to an engineer who is leaving in two weeks. You generate a proper service ID through the builder, attach narrowly-scoped policies that match what the pipeline actually needs (deploy to one resource group, no global admin), rotate the key into Jenkins' secret store, and remove the human user's account. Deploys keep working, the leaving engineer's departure is just a normal offboarding, and the audit trail is now keyed to a clearly-named service principal.
Rotate API keys at least quarterly, and immediately when a team member with knowledge of the key leaves. Treat any key older than 90 days as suspicious during audits.
Never check a service ID's API key into a git repo, even a private one. Store it in IBM Cloud Secrets Manager or your CI's secret store. A key in git is a key that has effectively leaked the moment the repo is cloned.
API keys have no built-in expiration on IBM Cloud — they live until explicitly deleted. This is a feature for stable applications and a bug for security: a key created two years ago has the same privileges as a fresh one. Establish a rotation policy and enforce it through tooling or scheduled audits.
Not directly. IBM Cloud uses Trusted Profiles for delegation: a service ID (or any IAM principal) can be authorized to assume a trusted profile, which itself carries access policies. This is closer to AWS IAM role assumption than to AWS IAM user impersonation. Use trusted profiles when an application needs different sets of permissions for different operations.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.