By: Daniel Toczala
Note: This is the first blog in a series of blogs that I am co-authoring with Paula Williams, as part of an “I have an Issue…” series on the IBM Cloud. These blog posts will cover how to deal with common issues and roadblocks for users of the IBM Cloud. Check out her post on “What the Heck is a CSM?“
I like helping my IBM Cloud customers, and I like dealing with the technology. Every new technology (and even established technologies) have a learning curve. My goal in writing this series of articles is to help you more quickly conquer that learning curve with respect to the IBM Cloud.
Typical Issues That People See
Some typical issues that users experience when working with the IBM Cloud will often be with respect to their services. These could be one of the Watson services (like Watson Conversation or Watson Discovery), or maybe Cloud Object Storage, or a DB2 or Mongo database. The issues that people will typically experience fall into one of two categories:
I’ve Created Something That I Cannot See
These situations have you going out and creating an instance of a service, but now you just can’t seem to figure out how to find it or how to get to it. It’s almost as if we have decided to hide it on you.
In these situations, it is best to first figure out WHERE you are on the IBM Cloud. Look in the upper right corner of your browser window. As soon as you log into the IBM Cloud, you’ll see something like this:
That text in that small black block tells you WHERE you are. It tells you the account that you are operating in. Clicking on this box you can CHANGE where you are looking. Confused yet? Maybe we should step back a bit….
You have an ACCOUNT and IDENTITY on the IBM Cloud. Your IDENTITY from an IBM perspective is typically an email address, which is also your IBM ID (for our example let’s assume that mine is email@example.com). It has the same username/password as your IBM ID (which you might use for things on ibm.com). You might even have a Federated ID, where we use your company email address/identity and your company authentication mechanisms. Some things to remember when looking at your IBM ID:
- Just because you have an IBM ID, doesn’t mean that you have an IBM Cloud account. You will need to register for an IBM Cloud account. While both the IBM Cloud and ibm.com both use your IBM ID, they are DIFFERENT domains.
- When you sign up for your IBM ID, use a valid email address as your user ID. You will need to VALIDATE your account by responding to an email that is sent to (you guessed it!) your user ID. So in my case I cannot sign up for an IBM ID at firstname.lastname@example.org (unless I have convinced my corporate IT folks to give me that email address).
Now let’s get back to finding those cloud resources that we created. Once you see what context you are in, you will have a better idea of what you can EXPECT to see. Since I am an Acme Co. employee, I have been added as an approved user of the Acme corporate account. What does this mean? Well the Acme corporation created a different account, a corporate account, associated with a service account called IBM_Cloud_Admin@acme.com. This account has a subscription which provides it with a set amount of “credits” for IBM Cloud services, which it burns down over time. Since I am a member of this account, I can create IBM Cloud services in this corporate account, and their costs get assigned to the corporate account. IBM Cloud services are billed based on where they are LOCATED (logically), and not based on who created them.
So now you hopefully have a better feel for how your account fits into the grand scheme of things, maybe you can find out WHERE that Watson service that you created is located, by looking at the various different contexts that you operate in.
Advanced Developer Note: Your IBM ID is based on an email ID. So I have an IBM ID for email@example.com, but I also have one associated with my personal email address (firstname.lastname@example.org). I use my acme.com account for doing my regular work, and I use my personal email based ID to do open source work. That account is a trial account (or maybe I even attach my personal credit card to it), and I am careful not to rack up big charges on the account. I use it for doing simple little things in the cloud environment.
I Cannot Work With Something I Created
These situations are a little different. You are able to create some service, but you are then unable to access it. Either the service is broken, or down, or just not responding to your repeated attempts to use it. Or maybe you can see a service but you just cannot create it.
So let’s go back to that email@example.com account. First of all, you need to check and make sure that the account that you are attempting to create a service in is able to pay for that service. If the account has a credit card associated with it, which guarantees payment for cloud services used, then the account is referred to as a “PAYGO” (short for pay-as-you-go) account. People who use things like GitHub and other SaaS based services should be familiar with this model. If the account has prepaid for services, via an IBM Cloud subscription, then it is referred to as a “SUBSCRIPTION” account. Either “PAYGO” or “SUBSCRIPTION” accounts can create any type of service. Your personal account might not have a guaranteed payment method, like my firstname.lastname@example.org account. In that case you have a “TRIAL” account. “TRIAL” accounts can create lite (or no charge) instances of most services on the IBM Cloud. TRIAL accounts will not be able to create more robust versions of those services until they either become “PAYGO” or “SUBSCRIPTION” accounts.
So let’s get back to our example. My email@example.com account is a “TRIAL” account (I’m not paying for anything!), but since I am an approved user of the IBM_Cloud_Admin@acme.com account (which is a “SUBSCRIPTION” account), I can create non-lite service instances within THAT account. There is one hitch…. I have to have PERMISSIONS granted to me to be able to see particular logical areas of the Acme IBM_Cloud_Admin account.
What Are These “Logical” Areas?
There are two different types of logical areas where IBM Cloud resources can be created. Each is based on a different security model.
The Cloud Foundry security model uses the concept of Organizations (called “ORGs”) and Spaces. These “Orgs” and “Spaces” live in a hierarchal model, with a single Org hosting one or more Spaces. The administrator/owner of an IBM Cloud account will create these Orgs and Spaces, and will assign people various roles in each org/space. These roles determine what a user can do within that particular logical environment. You need to make sure that your account has access to the orgs and spaces that you need to work in.
The IBM Access Management (IAM) security model is based on Resource Groups. Each resource group may have a series of Access Groups associated with it, and these Access Groups can be used to provide fine-grained access controls and role management. You need to make sure that your account is enabled to do what is needed for the resource groups that you need to work in.
You can learn all about Orgs, Spaces, Resource Groups, Access Groups and best practices for organizing your IBM Cloud account by reading my blog post entitled, Getting Started Right on the IBM Cloud.