openapi: 3.1.0 info: title: IBM Cloud IAM API description: >- The IBM Cloud Identity and Access Management (IAM) API enables you to manage IAM access tokens, API keys, service IDs, trusted profiles, and access policies. Use this API to authenticate identities, authorize access to IBM Cloud resources, and manage the full lifecycle of identity and policy objects within your IBM Cloud account. version: 1.0.0 contact: name: IBM Cloud url: https://cloud.ibm.com email: cloud@ibm.com license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0 x-ibm-api-source: https://cloud.ibm.com/apidocs/iam-identity-token-api servers: - url: https://iam.cloud.ibm.com description: IBM Cloud IAM production endpoint security: - bearerAuth: [] tags: - name: Tokens description: Create and manage IAM access tokens - name: API Keys description: Create and manage API keys for users and service IDs - name: Service IDs description: Create and manage service IDs for applications and services - name: Trusted Profiles description: Create and manage trusted profiles for federated identities - name: Claim Rules description: Manage claim rules for trusted profiles - name: Policies description: Create and manage IAM access policies - name: Roles description: List and manage IAM roles - name: Account Settings description: Manage IAM account settings paths: /identity/token: post: operationId: createAccessToken summary: Create an IAM access token description: >- Create an IAM access token for a user or service ID using an API key, refresh token, or delegated refresh token. Tokens are valid for one hour and can be refreshed before expiration. tags: - Tokens security: [] requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - grant_type properties: grant_type: type: string description: The grant type for token creation. enum: - urn:ibm:params:oauth:grant-type:apikey - urn:ibm:params:oauth:grant-type:delegated-refresh-token - refresh_token apikey: type: string description: The API key to use for authentication. refresh_token: type: string description: The refresh token to use for token renewal. response_type: type: string description: >- Response type for delegated refresh token. Must be cloud_iam when grant_type is urn:ibm:params:oauth:grant-type:delegated-refresh-token. enum: - cloud_iam responses: '200': description: Token created successfully. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' '400': description: Invalid request parameters. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' '401': description: Invalid or expired credentials. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' /v1/apikeys: get: operationId: listApiKeys summary: List API keys description: >- List API keys associated with an IAM ID, account, or service ID. Results can be filtered, sorted, and paginated. tags: - API Keys parameters: - name: account_id in: query description: The account ID of the API keys to query. schema: type: string - name: iam_id in: query description: The IAM ID associated with the API keys. schema: type: string - name: pagesize in: query description: Number of results per page. schema: type: integer minimum: 1 maximum: 100 - name: pagetoken in: query description: Page token from a previous request for pagination. schema: type: string - name: scope in: query description: Scope of the query, either account or iam_id. schema: type: string enum: - account - iam_id - name: type in: query description: Filter by API key type. schema: type: string enum: - user - serviceid - name: sort in: query description: Field to sort by. schema: type: string - name: order in: query description: Sort order. schema: type: string enum: - asc - desc responses: '200': description: List of API keys returned successfully. content: application/json: schema: $ref: '#/components/schemas/ApiKeyList' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createApiKey summary: Create an API key description: >- Create a new API key for a user or service ID. The API key value is returned only at creation time. tags: - API Keys requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateApiKeyRequest' responses: '201': description: API key created successfully. content: application/json: schema: $ref: '#/components/schemas/ApiKey' headers: Entity-Tag: description: The version identifier for the created API key. schema: type: string '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /v1/apikeys/details: get: operationId: getApiKeysDetails summary: Get API key details by value description: >- Retrieve details of an API key by providing the key value in the IAM-ApiKey header. tags: - API Keys parameters: - name: IAM-ApiKey in: header description: The API key value to look up. schema: type: string - name: include_history in: query description: Include activity history of the API key. schema: type: boolean default: false responses: '200': description: API key details returned successfully. content: application/json: schema: $ref: '#/components/schemas/ApiKey' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/apikeys/{id}: get: operationId: getApiKey summary: Get an API key description: Retrieve details for a specific API key by its unique identifier. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' - name: include_history in: query description: Include the history of the API key. schema: type: boolean default: false - name: include_activity in: query description: Include the activity of the API key. schema: type: boolean default: false responses: '200': description: API key details returned successfully. content: application/json: schema: $ref: '#/components/schemas/ApiKey' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateApiKey summary: Update an API key description: Update properties of an existing API key such as name and description. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateApiKeyRequest' responses: '200': description: API key updated successfully. content: application/json: schema: $ref: '#/components/schemas/ApiKey' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' delete: operationId: deleteApiKey summary: Delete an API key description: Remove an API key permanently. This action cannot be undone. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' responses: '204': description: API key deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/apikeys/{id}/lock: post: operationId: lockApiKey summary: Lock an API key description: >- Lock an API key to prevent it from being deleted or modified. Locked keys remain active and can still be used for authentication. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' responses: '200': description: API key locked successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: unlockApiKey summary: Unlock an API key description: Unlock a previously locked API key to allow modifications and deletion. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' responses: '200': description: API key unlocked successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/apikeys/{id}/disable: post: operationId: disableApiKey summary: Disable an API key description: >- Disable an API key to prevent it from being used for authentication. The key can be re-enabled later. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' responses: '200': description: API key disabled successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: enableApiKey summary: Enable an API key description: Re-enable a previously disabled API key for authentication. tags: - API Keys parameters: - $ref: '#/components/parameters/ApiKeyId' responses: '200': description: API key enabled successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/serviceids/: get: operationId: listServiceIds summary: List service IDs description: >- List service IDs in an account. Results can be filtered by name, sorted, and paginated. tags: - Service IDs parameters: - name: account_id in: query description: The account ID of the service IDs to query. schema: type: string - name: name in: query description: Filter service IDs by name. schema: type: string - name: pagesize in: query description: Number of results per page. schema: type: integer minimum: 1 maximum: 100 - name: pagetoken in: query description: Page token from a previous request for pagination. schema: type: string - name: sort in: query description: Field to sort results by. schema: type: string - name: order in: query description: Sort order. schema: type: string enum: - asc - desc responses: '200': description: List of service IDs returned successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceIdList' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createServiceId summary: Create a service ID description: >- Create a new service ID for an IBM Cloud account. Service IDs are used by applications and services to authenticate with IBM Cloud. tags: - Service IDs requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateServiceIdRequest' responses: '201': description: Service ID created successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceId' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /v1/serviceids/{id}: get: operationId: getServiceId summary: Get a service ID description: Retrieve details of a service ID by its unique identifier. tags: - Service IDs parameters: - $ref: '#/components/parameters/ServiceIdParam' - name: include_history in: query description: Include the history of the service ID. schema: type: boolean default: false - name: include_activity in: query description: Include the activity of the service ID. schema: type: boolean default: false responses: '200': description: Service ID details returned successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceId' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateServiceId summary: Update a service ID description: >- Update properties of an existing service ID such as name and description. tags: - Service IDs parameters: - $ref: '#/components/parameters/ServiceIdParam' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateServiceIdRequest' responses: '200': description: Service ID updated successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceId' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' delete: operationId: deleteServiceId summary: Delete a service ID description: >- Delete a service ID and all associated API keys. This action cannot be undone. tags: - Service IDs parameters: - $ref: '#/components/parameters/ServiceIdParam' responses: '204': description: Service ID deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/serviceids/{id}/lock: post: operationId: lockServiceId summary: Lock a service ID description: >- Lock a service ID to prevent modification or deletion. Locked service IDs remain active. tags: - Service IDs parameters: - $ref: '#/components/parameters/ServiceIdParam' responses: '200': description: Service ID locked successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: unlockServiceId summary: Unlock a service ID description: Unlock a previously locked service ID. tags: - Service IDs parameters: - $ref: '#/components/parameters/ServiceIdParam' responses: '200': description: Service ID unlocked successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/profiles: get: operationId: listProfiles summary: List trusted profiles description: >- List trusted profiles in an account. Trusted profiles allow federated users to establish trust with IBM Cloud. tags: - Trusted Profiles parameters: - name: account_id in: query required: true description: The account ID to list trusted profiles for. schema: type: string - name: name in: query description: Filter profiles by name. schema: type: string - name: pagesize in: query description: Number of results per page. schema: type: integer minimum: 1 maximum: 100 - name: pagetoken in: query description: Page token from a previous request. schema: type: string - name: sort in: query description: Field to sort by. schema: type: string - name: order in: query description: Sort order. schema: type: string enum: - asc - desc - name: include_history in: query description: Include the history of the profiles. schema: type: boolean default: false responses: '200': description: List of trusted profiles returned successfully. content: application/json: schema: $ref: '#/components/schemas/TrustedProfileList' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createProfile summary: Create a trusted profile description: >- Create a new trusted profile for federated users to establish trust with IBM Cloud resources. tags: - Trusted Profiles requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateProfileRequest' responses: '201': description: Trusted profile created successfully. content: application/json: schema: $ref: '#/components/schemas/TrustedProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /v1/profiles/{profile-id}: get: operationId: getProfile summary: Get a trusted profile description: Retrieve details of a specific trusted profile. tags: - Trusted Profiles parameters: - $ref: '#/components/parameters/ProfileId' - name: include_activity in: query description: Include the activity of the profile. schema: type: boolean default: false responses: '200': description: Trusted profile details returned successfully. content: application/json: schema: $ref: '#/components/schemas/TrustedProfile' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateProfile summary: Update a trusted profile description: Update properties of an existing trusted profile. tags: - Trusted Profiles parameters: - $ref: '#/components/parameters/ProfileId' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateProfileRequest' responses: '200': description: Trusted profile updated successfully. content: application/json: schema: $ref: '#/components/schemas/TrustedProfile' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' delete: operationId: deleteProfile summary: Delete a trusted profile description: >- Delete a trusted profile and its associated claim rules and links. This action cannot be undone. tags: - Trusted Profiles parameters: - $ref: '#/components/parameters/ProfileId' responses: '204': description: Trusted profile deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/profiles/{profile-id}/rules: get: operationId: listClaimRules summary: List claim rules for a trusted profile description: Retrieve all claim rules defined for a specific trusted profile. tags: - Claim Rules parameters: - $ref: '#/components/parameters/ProfileId' responses: '200': description: List of claim rules returned successfully. content: application/json: schema: $ref: '#/components/schemas/ClaimRuleList' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' post: operationId: createClaimRule summary: Create a claim rule description: >- Create a claim rule for a trusted profile. Claim rules define conditions that federated users must meet to apply the profile. tags: - Claim Rules parameters: - $ref: '#/components/parameters/ProfileId' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateClaimRuleRequest' responses: '201': description: Claim rule created successfully. content: application/json: schema: $ref: '#/components/schemas/ClaimRule' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /v1/profiles/{profile-id}/rules/{rule-id}: get: operationId: getClaimRule summary: Get a claim rule description: Retrieve details of a specific claim rule in a trusted profile. tags: - Claim Rules parameters: - $ref: '#/components/parameters/ProfileId' - $ref: '#/components/parameters/RuleId' responses: '200': description: Claim rule details returned successfully. content: application/json: schema: $ref: '#/components/schemas/ClaimRule' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateClaimRule summary: Update a claim rule description: Update an existing claim rule for a trusted profile. tags: - Claim Rules parameters: - $ref: '#/components/parameters/ProfileId' - $ref: '#/components/parameters/RuleId' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateClaimRuleRequest' responses: '200': description: Claim rule updated successfully. content: application/json: schema: $ref: '#/components/schemas/ClaimRule' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' delete: operationId: deleteClaimRule summary: Delete a claim rule description: Remove a claim rule from a trusted profile. tags: - Claim Rules parameters: - $ref: '#/components/parameters/ProfileId' - $ref: '#/components/parameters/RuleId' responses: '204': description: Claim rule deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /v1/policies: get: operationId: listPolicies summary: List access policies description: >- List access policies in an account. Results can be filtered by IAM ID, access group, service type, and state. tags: - Policies parameters: - name: account_id in: query required: true description: The account ID to list policies for. schema: type: string - name: iam_id in: query description: Filter by the IAM ID of the subject. schema: type: string - name: access_group_id in: query description: Filter by access group ID. schema: type: string - name: type in: query description: Filter by policy type. schema: type: string enum: - access - authorization - name: service_type in: query description: Filter by service type. schema: type: string - name: state in: query description: Filter by policy state. schema: type: string enum: - active - deleted - name: limit in: query description: Maximum number of policies to return. schema: type: integer minimum: 1 maximum: 1000 - name: start in: query description: Pagination start token. schema: type: string responses: '200': description: List of access policies returned successfully. content: application/json: schema: $ref: '#/components/schemas/PolicyList' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createPolicy summary: Create an access policy description: >- Create a new access policy to grant a subject access to a resource. A policy defines a subject, roles, and resources. tags: - Policies requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreatePolicyRequest' responses: '201': description: Access policy created successfully. content: application/json: schema: $ref: '#/components/schemas/Policy' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '409': $ref: '#/components/responses/Conflict' /v1/policies/{policy_id}: get: operationId: getPolicy summary: Get an access policy description: Retrieve details of a specific access policy. tags: - Policies parameters: - $ref: '#/components/parameters/PolicyId' responses: '200': description: Access policy details returned successfully. content: application/json: schema: $ref: '#/components/schemas/Policy' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: replacePolicy summary: Replace an access policy description: >- Replace an existing access policy with an updated definition. The entire policy is replaced. tags: - Policies parameters: - $ref: '#/components/parameters/PolicyId' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreatePolicyRequest' responses: '200': description: Access policy replaced successfully. content: application/json: schema: $ref: '#/components/schemas/Policy' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' delete: operationId: deletePolicy summary: Delete an access policy description: Remove an access policy. This action cannot be undone. tags: - Policies parameters: - $ref: '#/components/parameters/PolicyId' responses: '204': description: Access policy deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' patch: operationId: updatePolicyState summary: Update policy state description: Activate or deactivate an existing access policy. tags: - Policies parameters: - $ref: '#/components/parameters/PolicyId' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: type: object required: - state properties: state: type: string description: The desired state for the policy. enum: - active - deleted responses: '200': description: Policy state updated successfully. content: application/json: schema: $ref: '#/components/schemas/Policy' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' /v2/roles: get: operationId: listRoles summary: List IAM roles description: >- List system-defined and custom roles available in the account. Results can be filtered by service name. tags: - Roles parameters: - name: account_id in: query description: The account ID to list custom roles for. schema: type: string - name: service_name in: query description: Filter roles by the service they apply to. schema: type: string - name: source_service_name in: query description: Filter by the source service name for authorization policies. schema: type: string - name: policy_type in: query description: Filter by policy type. schema: type: string - name: service_group_id in: query description: Filter by the service group ID. schema: type: string responses: '200': description: List of roles returned successfully. content: application/json: schema: $ref: '#/components/schemas/RoleList' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createRole summary: Create a custom role description: >- Create a custom role with a set of actions for a specific service. Custom roles extend the built-in platform and service roles. tags: - Roles requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateRoleRequest' responses: '201': description: Custom role created successfully. content: application/json: schema: $ref: '#/components/schemas/Role' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '409': $ref: '#/components/responses/Conflict' /v2/roles/{role_id}: get: operationId: getRole summary: Get a role description: Retrieve details of a specific role. tags: - Roles parameters: - $ref: '#/components/parameters/RoleIdParam' responses: '200': description: Role details returned successfully. content: application/json: schema: $ref: '#/components/schemas/Role' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: replaceRole summary: Replace a custom role description: >- Replace the definition of an existing custom role with an updated set of actions. tags: - Roles parameters: - $ref: '#/components/parameters/RoleIdParam' - $ref: '#/components/parameters/IfMatch' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateRoleRequest' responses: '200': description: Role replaced successfully. content: application/json: schema: $ref: '#/components/schemas/Role' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '409': $ref: '#/components/responses/Conflict' delete: operationId: deleteRole summary: Delete a custom role description: Remove a custom role. System-defined roles cannot be deleted. tags: - Roles parameters: - $ref: '#/components/parameters/RoleIdParam' responses: '204': description: Role deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' components: securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: >- IAM access token obtained from the /identity/token endpoint. Pass as Authorization: Bearer . parameters: ApiKeyId: name: id in: path required: true description: The unique identifier of the API key. schema: type: string ServiceIdParam: name: id in: path required: true description: The unique identifier of the service ID. schema: type: string ProfileId: name: profile-id in: path required: true description: The unique identifier of the trusted profile. schema: type: string RuleId: name: rule-id in: path required: true description: The unique identifier of the claim rule. schema: type: string PolicyId: name: policy_id in: path required: true description: The unique identifier of the access policy. schema: type: string RoleIdParam: name: role_id in: path required: true description: The unique identifier of the role. schema: type: string IfMatch: name: If-Match in: header required: true description: >- The entity tag value from a previous GET request used for optimistic concurrency control. schema: type: string schemas: TokenResponse: type: object description: An IAM access token response. properties: access_token: type: string description: The IAM access token. refresh_token: type: string description: The refresh token that can be used to obtain a new access token. token_type: type: string description: The token type, always Bearer. enum: - Bearer expires_in: type: integer description: Token lifetime in seconds. expiration: type: integer description: Token expiration time as a Unix timestamp. scope: type: string description: The scope of the token. ApiKey: type: object description: An IAM API key used for authentication. properties: id: type: string description: The unique identifier of the API key. entity_tag: type: string description: The version identifier for optimistic concurrency control. crn: type: string description: The Cloud Resource Name for this API key. locked: type: boolean description: Whether the API key is locked against modification. disabled: type: boolean description: Whether the API key is disabled for authentication. created_at: type: string format: date-time description: Timestamp when the API key was created. created_by: type: string description: The IAM ID of the user who created the API key. modified_at: type: string format: date-time description: Timestamp when the API key was last modified. name: type: string description: The name of the API key. support_sessions: type: boolean description: Whether sessions are supported for this API key. action_when_leaked: type: string description: Action to perform when the API key is leaked. description: type: string description: A description of the API key. iam_id: type: string description: The IAM ID associated with this API key. account_id: type: string description: The account ID that this API key belongs to. apikey: type: string description: The API key value. Only included at creation time. history: type: array description: History of changes to the API key. items: $ref: '#/components/schemas/ActivityEntry' activity: $ref: '#/components/schemas/Activity' ApiKeyList: type: object description: A paginated list of API keys. properties: context: $ref: '#/components/schemas/ResponseContext' offset: type: integer description: The offset of the current page. limit: type: integer description: The number of results per page. first: type: string description: URL to the first page of results. previous: type: string description: URL to the previous page of results. next: type: string description: URL to the next page of results. apikeys: type: array description: The list of API keys. items: $ref: '#/components/schemas/ApiKey' CreateApiKeyRequest: type: object description: Request body for creating an API key. required: - name - iam_id properties: name: type: string description: The name of the API key. iam_id: type: string description: The IAM ID that the API key authenticates. description: type: string description: A description of the API key. account_id: type: string description: The account ID for the API key. apikey: type: string description: >- Specify the API key value. If omitted, the system generates one automatically. store_value: type: boolean description: Whether to store the API key value in the system. support_sessions: type: boolean description: Whether sessions are supported for this API key. action_when_leaked: type: string description: Action to perform when the API key is leaked. expires_at: type: string format: date-time description: Expiration date and time for the API key. UpdateApiKeyRequest: type: object description: Request body for updating an API key. properties: name: type: string description: The updated name of the API key. description: type: string description: The updated description of the API key. support_sessions: type: boolean description: Whether sessions are supported for this API key. action_when_leaked: type: string description: Action to perform when the API key is leaked. expires_at: type: string format: date-time description: Expiration date and time for the API key. ServiceId: type: object description: >- A service ID is an identity for an application or service that can be used to authenticate with IBM Cloud. properties: id: type: string description: The unique identifier of the service ID. entity_tag: type: string description: The version identifier for optimistic concurrency control. crn: type: string description: The Cloud Resource Name for this service ID. locked: type: boolean description: Whether the service ID is locked against modification. created_at: type: string format: date-time description: Timestamp when the service ID was created. modified_at: type: string format: date-time description: Timestamp when the service ID was last modified. account_id: type: string description: The account ID that this service ID belongs to. name: type: string description: The name of the service ID. description: type: string description: A description of the service ID. unique_instance_crns: type: array description: >- List of CRNs that restrict the scope of the service ID to specific resource instances. items: type: string history: type: array description: History of changes to the service ID. items: $ref: '#/components/schemas/ActivityEntry' activity: $ref: '#/components/schemas/Activity' apikey: $ref: '#/components/schemas/ApiKey' ServiceIdList: type: object description: A paginated list of service IDs. properties: context: $ref: '#/components/schemas/ResponseContext' offset: type: integer description: The offset of the current page. limit: type: integer description: The number of results per page. first: type: string description: URL to the first page of results. previous: type: string description: URL to the previous page of results. next: type: string description: URL to the next page of results. serviceids: type: array description: The list of service IDs. items: $ref: '#/components/schemas/ServiceId' CreateServiceIdRequest: type: object description: Request body for creating a service ID. required: - account_id - name properties: account_id: type: string description: The account ID for the service ID. name: type: string description: The name of the service ID. description: type: string description: A description of the service ID. unique_instance_crns: type: array description: >- List of CRNs that restrict the scope of the service ID to specific resource instances. items: type: string apikey: $ref: '#/components/schemas/CreateApiKeyRequest' UpdateServiceIdRequest: type: object description: Request body for updating a service ID. properties: name: type: string description: The updated name of the service ID. description: type: string description: The updated description of the service ID. unique_instance_crns: type: array description: >- Updated list of CRNs that restrict the scope of the service ID. items: type: string TrustedProfile: type: object description: >- A trusted profile defines a set of conditions under which federated users or compute resources can assume an identity with specific access rights. properties: id: type: string description: The unique identifier of the trusted profile. entity_tag: type: string description: The version identifier for optimistic concurrency control. crn: type: string description: The Cloud Resource Name for this trusted profile. name: type: string description: The name of the trusted profile. description: type: string description: A description of the trusted profile. created_at: type: string format: date-time description: Timestamp when the profile was created. modified_at: type: string format: date-time description: Timestamp when the profile was last modified. iam_id: type: string description: The IAM ID of the trusted profile. account_id: type: string description: The account ID that this profile belongs to. template_id: type: string description: >- The ID of the template that this profile was created from, if applicable. ims_account_id: type: integer description: The IMS account ID if applicable. ims_user_id: type: integer description: The IMS user ID if applicable. history: type: array description: History of changes to the profile. items: $ref: '#/components/schemas/ActivityEntry' activity: $ref: '#/components/schemas/Activity' TrustedProfileList: type: object description: A paginated list of trusted profiles. properties: context: $ref: '#/components/schemas/ResponseContext' offset: type: integer description: The offset of the current page. limit: type: integer description: The number of results per page. first: type: string description: URL to the first page of results. previous: type: string description: URL to the previous page of results. next: type: string description: URL to the next page of results. profiles: type: array description: The list of trusted profiles. items: $ref: '#/components/schemas/TrustedProfile' CreateProfileRequest: type: object description: Request body for creating a trusted profile. required: - name - account_id properties: name: type: string description: The name of the trusted profile. account_id: type: string description: The account ID for the trusted profile. description: type: string description: A description of the trusted profile. UpdateProfileRequest: type: object description: Request body for updating a trusted profile. properties: name: type: string description: The updated name of the trusted profile. description: type: string description: The updated description of the trusted profile. ClaimRule: type: object description: >- A claim rule defines conditions under which a federated user can apply a trusted profile. properties: id: type: string description: The unique identifier of the claim rule. entity_tag: type: string description: The version identifier for optimistic concurrency control. created_at: type: string format: date-time description: Timestamp when the rule was created. modified_at: type: string format: date-time description: Timestamp when the rule was last modified. name: type: string description: The name of the claim rule. type: type: string description: The type of the claim rule. enum: - Profile-SAML - Profile-CR conditions: type: array description: Conditions the incoming token must satisfy. items: $ref: '#/components/schemas/ClaimRuleCondition' realm_name: type: string description: The realm name of the identity provider. cr_type: type: string description: The compute resource type for Profile-CR rules. expiration: type: integer description: Token session expiration in seconds. ClaimRuleList: type: object description: A list of claim rules for a trusted profile. properties: context: $ref: '#/components/schemas/ResponseContext' rules: type: array description: The list of claim rules. items: $ref: '#/components/schemas/ClaimRule' ClaimRuleCondition: type: object description: A condition in a claim rule. required: - claim - operator - value properties: claim: type: string description: The claim name from the identity provider token. operator: type: string description: The operator for comparing the claim value. enum: - EQUALS - NOT_EQUALS - EQUALS_IGNORE_CASE - NOT_EQUALS_IGNORE_CASE - CONTAINS - IN value: type: string description: The value to compare against. CreateClaimRuleRequest: type: object description: Request body for creating a claim rule. required: - type - conditions properties: type: type: string description: The type of the claim rule. enum: - Profile-SAML - Profile-CR conditions: type: array description: Conditions the incoming token must satisfy. items: $ref: '#/components/schemas/ClaimRuleCondition' name: type: string description: The name of the claim rule. realm_name: type: string description: The realm name of the identity provider. cr_type: type: string description: The compute resource type for Profile-CR rules. expiration: type: integer description: Token session expiration in seconds. UpdateClaimRuleRequest: type: object description: Request body for updating a claim rule. required: - type - conditions properties: type: type: string description: The type of the claim rule. enum: - Profile-SAML - Profile-CR conditions: type: array description: Updated conditions the incoming token must satisfy. items: $ref: '#/components/schemas/ClaimRuleCondition' name: type: string description: The updated name of the claim rule. realm_name: type: string description: The updated realm name of the identity provider. cr_type: type: string description: The updated compute resource type. expiration: type: integer description: Updated token session expiration in seconds. Policy: type: object description: >- An IAM access policy that grants a subject a set of roles on a resource. properties: id: type: string description: The unique identifier of the policy. type: type: string description: The type of the policy. enum: - access - authorization description: type: string description: A description of the policy. subjects: type: array description: The subjects the policy applies to. items: $ref: '#/components/schemas/PolicySubject' roles: type: array description: The roles granted by the policy. items: $ref: '#/components/schemas/PolicyRole' resources: type: array description: The resources the policy applies to. items: $ref: '#/components/schemas/PolicyResource' href: type: string description: The URL of the policy. created_at: type: string format: date-time description: Timestamp when the policy was created. created_by_id: type: string description: The IAM ID of the user who created the policy. last_modified_at: type: string format: date-time description: Timestamp when the policy was last modified. last_modified_by_id: type: string description: The IAM ID of the user who last modified the policy. state: type: string description: The current state of the policy. enum: - active - deleted PolicyList: type: object description: A paginated list of access policies. properties: policies: type: array description: The list of policies. items: $ref: '#/components/schemas/Policy' PolicySubject: type: object description: A subject in a policy, defining who the policy applies to. properties: attributes: type: array description: The attributes that identify the subject. items: $ref: '#/components/schemas/PolicyAttribute' PolicyRole: type: object description: A role assigned in a policy. properties: role_id: type: string description: The CRN of the role. display_name: type: string description: The display name of the role. description: type: string description: A description of the role. PolicyResource: type: object description: A resource in a policy, defining what the policy applies to. properties: attributes: type: array description: The attributes that identify the resource. items: $ref: '#/components/schemas/PolicyAttribute' PolicyAttribute: type: object description: An attribute used to identify a subject or resource in a policy. required: - name - value properties: name: type: string description: The attribute name. value: type: string description: The attribute value. operator: type: string description: The operator for value comparison. enum: - stringEquals - stringMatch - stringExists CreatePolicyRequest: type: object description: Request body for creating an access policy. required: - type - subjects - roles - resources properties: type: type: string description: The type of the policy. enum: - access - authorization subjects: type: array description: The subjects the policy applies to. items: $ref: '#/components/schemas/PolicySubject' roles: type: array description: The roles granted by the policy. items: $ref: '#/components/schemas/PolicyRole' resources: type: array description: The resources the policy applies to. items: $ref: '#/components/schemas/PolicyResource' description: type: string description: A description of the policy. Role: type: object description: An IAM role that defines a set of actions. properties: id: type: string description: The unique identifier of the role. display_name: type: string description: The display name of the role. description: type: string description: A description of the role. actions: type: array description: The list of actions granted by this role. items: type: string crn: type: string description: The CRN of the role. name: type: string description: The name identifier of the role. account_id: type: string description: The account ID for custom roles. service_name: type: string description: The service this role applies to. created_at: type: string format: date-time description: Timestamp when the role was created. created_by_id: type: string description: The IAM ID of the user who created the role. last_modified_at: type: string format: date-time description: Timestamp when the role was last modified. last_modified_by_id: type: string description: The IAM ID of the user who last modified the role. RoleList: type: object description: A list of IAM roles. properties: custom_roles: type: array description: The list of custom roles. items: $ref: '#/components/schemas/Role' service_roles: type: array description: The list of service-defined roles. items: $ref: '#/components/schemas/Role' system_roles: type: array description: The list of system-defined platform roles. items: $ref: '#/components/schemas/Role' CreateRoleRequest: type: object description: Request body for creating a custom role. required: - display_name - actions - name - account_id - service_name properties: display_name: type: string description: The display name for the custom role. actions: type: array description: The actions granted by this role. items: type: string name: type: string description: The programmatic name identifier for the role. account_id: type: string description: The account ID for the custom role. service_name: type: string description: The service this role applies to. description: type: string description: A description of the custom role. Activity: type: object description: Activity information for an identity resource. properties: last_authn: type: string description: Timestamp of the last authentication using this identity. authn_count: type: integer description: The number of authentications using this identity. ActivityEntry: type: object description: A history entry for an identity resource. properties: timestamp: type: string description: Timestamp of the activity. iam_id: type: string description: The IAM ID that performed the action. iam_id_account: type: string description: The account ID of the actor. action: type: string description: The action that was performed. params: type: array description: Parameters associated with the action. items: type: string message: type: string description: A message describing the action. ResponseContext: type: object description: Context metadata for paginated API responses. properties: transaction_id: type: string description: The unique transaction ID for the request. operation: type: string description: The operation that was performed. user_agent: type: string description: The user agent string from the request. url: type: string description: The URL of the request. instance_id: type: string description: The instance ID of the service. thread_id: type: string description: The thread ID of the request. host: type: string description: The host that served the request. start_time: type: string description: Timestamp when the request started. end_time: type: string description: Timestamp when the request ended. elapsed_time: type: string description: The elapsed time of the request. cluster_name: type: string description: The cluster name of the service. ErrorResponse: type: object description: An error response from the IAM API. properties: context: $ref: '#/components/schemas/ResponseContext' status_code: type: integer description: The HTTP status code. errors: type: array description: The list of errors. items: type: object properties: code: type: string description: The error code. message: type: string description: A human-readable error message. details: type: string description: Additional error details. more_info: type: string description: A URL for more information about the error. trace: type: string description: A trace identifier for debugging. responses: BadRequest: description: The request was invalid or malformed. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Unauthorized: description: Authentication failed or credentials are missing. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' NotFound: description: The requested resource was not found. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Conflict: description: >- A conflict occurred, typically from an If-Match version mismatch. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse'