ibm-cloudcontainer-registryibm-cloud-code-engine

IBM Cloud: Least privileges for service ID that needs to update a Code Engine app?


I am using IBM Cloud Code Engine to deploy my containerized apps. Now, I would like to use a service ID (or its API key) to run a toolchain and within to update an already existing app. What privileges are needed to push the new container image to a private registry and to update the app from that image?


Solution

  • It seems the following privileges are needed. They can be created as access policies within an IBM Cloud IAM access group. The service ID is then added to that access group.

    With the above privileges my pipeline could run successfully.