v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/ibm
Overview
24Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install ibm

Table: ibm_iam_api_key - Query IBM IAM API Keys using SQL

IBM IAM API Keys are a type of credentials in IBM Cloud that clients can use to authenticate with IBM Cloud services. These API keys are associated with IBM Cloud Identity and Access Management (IAM) and can be used to make programmatic calls to the IBM Cloud. They provide a secure way to manage authentication and authorization for IBM Cloud services.

Table Usage Guide

The ibm_iam_api_key table provides insights into API keys within IBM Cloud Identity and Access Management (IAM). As a security analyst, explore API key-specific details through this table, including account IDs, creation timestamps, descriptions, and associated metadata. Utilize it to uncover information about API keys, such as their status, the services they have access to, and the duration for which they are valid.

Important Notes

  • To list all of your API keys use the ibm_iam_my_api_key table instead.

Examples

Basic info

Explore which API keys were created at what time and by which IAM user within IBM's IAM service. This can be particularly useful for auditing purposes or to track key creation in your environment.

select
  name,
  id,
  crn,
  created_at,
  iam_id as user_iam_id
from
  ibm_iam_api_key;
select
  name,
  id,
  crn,
  created_at,
  iam_id as user_iam_id
from
  ibm_iam_api_key;

Access key count by user name

Assess the distribution of access keys across different users to understand their individual API usage. This is useful for auditing purposes and to ensure appropriate access control.

select
  u.user_id,
  count (key.id) as api_key_count
from
  ibm_iam_api_key as key,
  ibm_iam_user as u
where
  u.iam_id = key.iam_id
group by
  u.user_id;
select
  u.user_id,
  count(key.id) as api_key_count
from
  ibm_iam_api_key as key,
  ibm_iam_user as u
where
  u.iam_id = key.iam_id
group by
  u.user_id;

List keys older than 90 days

Determine the API keys that have been in use for more than 90 days. This query can help identify potentially outdated keys for review, enhancing security and access management.

select
  key.id as api_key_id,
  key.name as api_key_name,
  u.user_id,
  extract(
    day
    from
      current_timestamp - key.created_at
  ) as age,
  key.account_id
from
  ibm_iam_api_key as key,
  ibm_iam_user as u
where
  key.iam_id = u.iam_id
  and extract(
    day
    from
      current_timestamp - key.created_at
  ) > 90;
select
  key.id as api_key_id,
  key.name as api_key_name,
  u.user_id,
  julianday('now') - julianday(key.created_at) as age,
  key.account_id
from
  ibm_iam_api_key as key,
  ibm_iam_user as u
where
  key.iam_id = u.iam_id
  and julianday('now') - julianday(key.created_at) > 90;

Control examples

Schema for ibm_iam_api_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextID of the account that this API key authenticates for.
api_keytextThe API key value. This property only contains the API key value for the following cases: create an API key, update a service ID API key that stores the API key value as retrievable, or get a service ID API key that stores the API key value as retrievable.
created_attimestamp with time zoneSpecifies the date and time, the API key is created.
crntextCloud Resource Name of the API key.
descriptiontextThe description of the API key.
entity_tagtextVersion of the API Key details object.
historyjsonbHistory of the API key.
iam_idtextThe iam_id that this API key authenticates.
idtextUnique identifier of this API Key.
modified_attimestamp with time zoneSpecifies the date and time, the API key las modified.
nametextSpecifies the name of the API key.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm

You can pass the configuration to the command with the --config argument:

steampipe_export_ibm --config '<your_config>' ibm_iam_api_key