A set of sample scripts and Terraform configurations to demonstrate and test IBM Cloud context-based restrictions for securing Cloud Object Storage access.
Samples for working with context-based restrictions in IBM Cloud
This tool is designed for IBM Cloud users who want to implement and validate context-based restrictions (CBR) to control access to Cloud Object Storage resources. It helps developers and cloud security engineers verify that access policies restrict usage to specific environments, such as IBM Cloud Code Engine jobs, enhancing cloud security posture through automation and configuration testing.
Ensure that environment variables or the .env file are correctly configured with valid IBM Cloud API key, COS instance CRN, and endpoint URL before running the script. The Terraform files require proper adaptation to your IBM Cloud environment. This tool is intended for demonstration and testing purposes and should be used in conjunction with IBM Cloud security best practices.
Clone the repository to your local environment
Adapt terraform/terraform.tfvars with your IBM Cloud API key and COS instance name
Build the Docker image using the provided python/Dockerfile
Set environment variables or create a .env file with API key, COS instance CRN, and endpoint URL
Deploy the Terraform configuration to create CBR network zones and access rules
Deploy the containerized Python script as a job in IBM Cloud Code Enginepython listFiles.py
Runs the Python script to list buckets and items in the specified Cloud Object Storage instance
docker build -t cbr-listfiles .
Builds the Docker container image for the Python script
terraform apply
Deploys the context-based restrictions network zone and access rules using Terraform