This repository holds files for testing context-based restrictions in IBM Cloud.
The overall scenario is shown here. A Python script is deployed as job to IBM Cloud Code Engine. A jobrun, running the script, succeeds - all items in the bucket cbrbucket can be retrieved. With the deployed restrictions in place, running the same script from other environments fails with the access denied (see screenshots below).
Access from Code Engine succeeds:
Access from another compute environment fails. Access is denied:
The script listFiles.py is based on code samples from the IBM Cloud Object Storage documentation. It takes an API key, the COS instance CRN, and optionally the endpoint URL from environment variables or an .env file. Then, it lists the available storage buckets in the COS instance, thereafter those items / files in the bucket cbrbucket.
You can use the provided Dockerfile to containerize the script. Thereafter, configure it as IBM Cloud Code Engine job by defining environment variables for the same API key, COS instance CRN and endpoint URL data.
See the files in terraform. Adapt the file terraform.tfvars to your IBM Cloud API key and the name of the Cloud Object Storage instance.
See the LICENSE file.