IBM Cloud Docs
Setting the cluster credentials

Setting the cluster credentials

IBM Cloud Kubernetes Service accesses the infrastructure portfolio and other services needed by your cluster by using an API key. This API key stores the credentials of a user in the account to the infrastructure and other services. IBM Cloud Kubernetes Service uses the API key to order resources in the service, such as new worker nodes or VLANs.

Considerations

To change which credentials are used to manage IBM Cloud Kubernetes Service resources, you can perform an API key reset. When the API key is reset, the previous API key that was used, if any, for the region and resource group is now obsolete. You can then delete the old API key from your list of API keys.

Before resetting your cluster API key, consider the following:

  • The credentials that are stored in the API key to create clusters in the account belong to either:

    • The first user to create a cluster in the resource group in the region.
    • The most recent user to run the api-key reset targeting the resource group and specifying the region.
    • If neither of these have occurred, there are no stored credentials in the resource group in the region.

  • To avoid tying your cluster resources to a specific user, like the account owner, consider using a functional ID or a service ID instead of a personal user. Using an identity such as a functional ID or service ID prevents other users from losing access to the account and prevents disruptions to services and commands that require certain credentials that might not be available after the API key owner leaves.

  • Make sure that the identity that is used to run this command has the required Administrator platform role in IBM Cloud Kubernetes Service, the Operator platform role in the IAM Identity Service if you are using a service ID, and also the required permissions for the other services or integrations. Target the resource group that you want to set the API key for. The user that runs the api-key reset command replaces the API key associated with the targeted resource group in the specified region. If that user doesn't have sufficient permissions, other users in the resource group in the specified region might be impacted.

  • Do not use a service ID that was generated by using a Secrets Manager IAM credential type secret from an access group. Each time that you retrieve an IAM credentials secret, the API key and the service ID that Secrets Manager generates are locked, even if you manually unlock them before retrieving the secret. To use Service ID that was generated by using a Secrets Manager IAM credential type secret, pick the option to use an existing service ID as opposed to generating a new one every time from an access group. Additionally, make sure to turn the Reuse IAM credentials until lease expires option to On.

  • If you use the Block Storage for VPC or cluster autoscaler add-ons in your cluster, you must re-create the add-on pods after you reset your API key. For more information, see Block Storage for VPC PVC creation fails after API key reset and Autoscaling fails after API key reset.

Resetting the cluster API key

To reset the cluster API key:

  1. As the account owner, invite an identity such as a functional ID, service ID, or trusted profile to your account.

  2. Make sure that the identity that is used to run this command has the required Administrator platform role in IBM Cloud Kubernetes Service, the Operator platform role in the IAM Identity Service if you are using a service ID, and also the required permissions for the other services or integrations. Target the resource group that you want to set the API key for. The user that runs the api-key reset command replaces the API key associated with the targeted resource group in the specified region. If that user doesn't have sufficient permissions, other users in the resource group in the specified region might be impacted.

  3. Log in as the identity whose credentials you want to use in the cluster.

    ibmcloud login

  4. Target the resource group the cluster is in.

    If you don't target a resource group, the API key is set for the default resource group. To list available resource groups, run ibmcloud resource groups.

    ibmcloud target -g <resource_group_name>

  5. Reset the API key.

    ibmcloud ks api-key reset --region <region>

  6. Verify that the API key is set up.

    ibmcloud ks api-key info --cluster <cluster_name_or_ID>

  7. Repeat these steps for each region and resource group where you want to reset the cluster API key.

Removing user credentials and permissions

In certain scenarios, such as staffing changes, your organization might need to remove user credentials and permissions from your account. To ensure that processes requiring certain user credentials are not disrupted when a user is removed from the account, you must reset the API key with another user's infrastructure credentials. For more information, see Removing users.