How to Manage IBM Cloud Key-Protect Instance from CLI when Private Network Only Policy is Applied?

Question

In doing some testing of the IBM Cloud Security and Compliance items, specifically the CIS Benchmarks for Best Practices, one item I was non-compliant on was in Cloud Key protect for the Goal "Check whether Key Protect is accessible only by using private endpoints"

My Key-protect instance was indeed set to "Public and Private" so I changed it to Private. This change now requires me to manage my Key-Protect instance from the CLI.

When I try to even look at my Key-Protect instance policy from the CLI I receive the following error:

ibmcloud kp instance -i my_instance_id policies Retrieving policy details for instance: my_instance_id... Error while getting instance policy: kp.Error: correlation_id='cc54f61d-4424-4c72-91aa-d2f6bc20be68', msg='Unauthorized: The user does not have access to the specified resource' FAILED Unauthorized: The user does not have access to the specified resource Correlation-ID:cc54f61d-4424-4c72-91aa-d2f6bc20be68

I'm confused - I am running the CLI logged, in as the tenant admin with Access policy of All resources in account (including future IAM enabled services)

What am I doing wrong here?

Answer 1

Private endpoints are only accessible from within IBM Cloud. If you connect from the public internet, access should be blocked.

There are multiple ways, how to work with such a policy in place. One is to deploy (a VPC with) a virtual machine on a private network. Then, connect to it with a VPN or Direct Link. Thus, your resources are not accessible from the public internet, but only through private connectivity. You could continue to use the IBM Cloud CLI, but set it to use private endpoints.