Using a trusted profile to call IAM-enabled services

You can create a trusted profile for compute resource identities in IBM Cloud® Identity and Access Management, and then assign access rights for IAM-enabled services to a virtual server instance. These services can be called from an instance without having to manage and distribute IAM secrets to the instance. Use this option when you want to call IAM-enabled services as part of instance initialization.

For more information about creating a trusted profile, see Establishing trust with compute resources in the console Establishing trust with compute resources by using the CLI Establishing trust with compute resources with the API.

About trusted profiles for compute resource identities

Trusted profiles for compute resource identities allow for fine-grained authorization for all applications that run in a virtual server instance. They eliminate the need for creating service IDs or managing API key lifecycles for applications. Instead, compute resources become identities as part of a trusted profile, and trust is established through conditions based on resource attributes.

You can assign an IAM identity directly to the instance so that the applications that are running on the virtual server instance can securely access other IBM Cloud services without storing API keys.

You can assign access rights to the trusted profile to enable the instance to call IAM-enabled services, such as IBM Cloud Object Storage and IBM® Key Protect.

You can link a trusted profile when you provision an instance. You can also link and unlink trusted profiles to and from the instance after it is provisioned by using IAM interfaces. Trusted profiles define authorization for all applications that are running on the instance.

The trusted profile that you specify when you provision the instance becomes the default trusted profile. Trusted profiles that are linked after the instance is provisioned might define more authorizations, but they cannot replace or become the default trusted profile for the instance.

The trusted profile can be linked to a compute instance either explicitly when the instance is created or implicitly through trusted profile dynamic rules.

IBM Cloud® Identity and Access Management is the source of truth for trusted profile linkage. The trusted profile information cannot be changed after the instance creation. The information may become stale as any trusted profile-related changes made in IAM are not reflected.

The instance inherits the access rights that are defined in all the trusted profiles that are linked to the instance. For any instance identity request that doesn't specify a trusted profile, VPC generates an IAM token from an instance identity access token that uses the default trusted profile.

If you don't want to use the instance's default trusted profile for these requests, you must specify the trusted profile that you want to be used in the request.

Before you begin

IAM authorizations for linking trusted profiles

To link a trusted profile to an instance, you must have sufficient authorization. With the correct IAM permissions, you can see all trusted profiles that are linked to an instance in the console.

You must be assigned the administrator, or editor role within the account, or on the IAM Identity Service to manage trusted profiles.

Verify that your access permissions are assigned as Administrator or Editor in the console:

Go to Manage > Access (IAM) > Users.
Find your name in the list, and click it to display your user details.
Click Access and scroll to Access policies.

Gather the required information

Create or retrieve a trusted profile. You need either its ID or CRN.

In the console, go to Manage > Access (IAM), and select Trusted profiles. For more information about creating a trusted profile and linking it to existing VPC virtual server instance, see Establishing trust with compute resources in the console.
From the CLI, you can run the ibmcloud iam trusted-profile-create command to create a trusted profile or run the ibmcloud iam trusted-profiles command to list existing trusted profiles. For more information, Establishing trust with compute resources by using the CLI.
You can make a GET /v1/profiles or POST /v1/profiles request to the IAM Identity Services API. For more information, see Establishing trust with compute resources with the API.

End-to-end procedure for using a trusted profile to call IAM-enabled services

Create an instance with a linked trusted profile, and enable the metadata service in the console enable the metadata service from the cli enable the metadata service with the API.
- In the console, you find the Metadata service in the Advanced options. Click the toggle to enable it. Next, click Select a trusted profile. In the side panel, select a trusted profile from the list. Click Select trusted profile. Auto-link is enabled, if you want to manage linking the trusted profile through the IAM interface, you can click the toggle to disable it. For more information, see Creating virtual server instances.
- From the CLI, use the ibmcloud is instance-create command and specify --default-trusted-profile YOUR_DEFAULT_TRUSTED_PROFILE, --default-trusted-profile-auto-link true, and --metadata-service true options For more information, see Creating virtual server instances.
- With the VPC API, specify the default trusted profile and set the auto_link property to true to automatically link the trusted profile to the instance. You can specify the ID or the CRN of the trusted profile. For more information, see the API VPC reference: Create an instance. See the following example.
```
curl -X POST "$vpc_api_endpoint/v1/instances?version=2022-03-01&generation=2" -H "Authorization: Bearer $iam_token"
 -d '{
  "default_trusted_profile": {
     "auto_link": true,
     "target": {
        "crn": "crn:v1:bluemix:public:iam-identity::a/123456::profile:Profile-9fd84264-7de4-4627-94c4-8ecde51d5ac5
        }
     },
    .
    .
    .
  }'
```
If the instance has a floating IP address already, use that address to establish a secure connection to the server. If it does not have a floating IP address, assign one to it. For more information, see the Next steps in the Creating virtual server instances topic.
From the virtual server instance, make an API request to the metadata token service to retrieve an instance identity access token. In this example, the command is run through the jq parser to format the JSON response. You can choose another parser if you prefer.
```
curl -X PUT "$vpc_metadata_api_endpoint/instance_identity/v1/token?version=2022-03-01" -H "Metadata-Flavor: ibm" -d '{"expires_in": 3600}'| jq -r '(.instance_identity_token)'
```
The response is the access token payload. For more information, see the Metadata API reference: Create an instance identity access token.

Use the instance identity token to generate an IAM token.

```sh {: pre}
curl -X POST "$vpc_metadata_api_endpoint/instance_identity/v1/iam_token?version=2025-06-10" -H "Authorization: Bearer $instance_identity_token" -d '{"trusted_profile": {"id": "Profile-8dd84246-7df4-4667-94e4-8cede51d5ac5"}}'
```
During the exchange a trusted profile against which the token is being requested must be provided to IAM service. If a trusted profile is not specified, the API uses the default trusted profile, which was linked during instance provisioning. If multiple trusted profiles are linked to an instance, you can choose not to use the default trusted profile, and specify a different trusted profile by ID or CRN.

Use the IAM token to make calls to IAM-enabled services.

Next steps

Make calls to the metadata service for instances, SSH keys, and placement group data. See Retrieving metadata from an instance.