The IBM Cloud is constantly evolving and just one area where we’re currently making improvements is in the availability of provisioned services for applications across regions as well as access management to those services. This has led to the introduction of ‘Resource Groups’.
If you are familiar with the concept of Cloud Foundry Organisations and Spaces, you can roughly equate a Resource Group to a Space. So, as our services become enabled for Resource Groups, rather than select a Space when they are provisioned, you will need to choose a Resource Group. The eagle-eyed among you may have noticed that your IBM Cloud account has a Resource Group already called ‘default’ (note the name can be changed) but if you have a Pay as You Go or Subscription account, you should start to consider your strategy for Resource Group usage, as each account will normally have more than one Resource Group, in the same way that they normally have multiple organizations and spaces.
Once you have your Resource Groups, you will need to assign access to them and this is where Identity and Access Management (IAM) comes in. This allows fine-grained access to the resources in a resource group. For example, suppose you have a Resource Group into which you have provisioned a Cloud Object Storage service. You have then created two buckets in the Object Storage. IAM will allow you to grant:
- Access to everything in the Resource Group
- Access to just Cloud Object Storage services
- Access to one particular instance of Cloud Object Storage
- Access to one particular bucket in Cloud Object Storage
There are different levels of access available too, to support Administrators, Editors, Operators and Viewers.
We are starting to migrate services to use Resource Groups over Cloud Foundry Organizations and Spaces and you’ll notice this happening with our Watson services during the summer. If you have Watson services already provisioned, you’ll start to see ‘migrate’ icons beside those services in your IBM Cloud dashboard. Prior to migrating, you must be ready with your Resource Group strategy and have your Resource Groups created. Pressing the icon will take you through a short ‘wizard’ that will guide you through the process and provide you with links to appropriate documentation. I recommend that you take time to read the documentation as it may change with each different service type and there may be follow-on activities that you need to consider which are specific to a service type.
Once the migration has completed, you will see a ‘linked’ icon beside the migrated service. This indicates that the service has migrated but is linked to Cloud Foundry, meaning that any service credentials that you have in place will still work and apps using those services will operate, unaffected. However, at this point, you should also start to consider using IAM credentials for the service in your apps, which requires some coding changes. Note that eventually, existing Cloud Foundry credentials will no longer work.
For more information, the IBM Cloud documentation is, as always, a great place to start.