Table: ibm_iam_api_key - Query IBM IAM API Keys using SQL
IBM IAM API Keys are a type of credentials in IBM Cloud that clients can use to authenticate with IBM Cloud services. These API keys are associated with IBM Cloud Identity and Access Management (IAM) and can be used to make programmatic calls to the IBM Cloud. They provide a secure way to manage authentication and authorization for IBM Cloud services.
Table Usage Guide
The ibm_iam_api_key
table provides insights into API keys within IBM Cloud Identity and Access Management (IAM). As a security analyst, explore API key-specific details through this table, including account IDs, creation timestamps, descriptions, and associated metadata. Utilize it to uncover information about API keys, such as their status, the services they have access to, and the duration for which they are valid.
Important Notes
- To list all of your API keys use the
ibm_iam_my_api_key
table instead.
Examples
Basic info
Explore which API keys were created at what time and by which IAM user within IBM's IAM service. This can be particularly useful for auditing purposes or to track key creation in your environment.
select name, id, crn, created_at, iam_id as user_iam_idfrom ibm_iam_api_key;
select name, id, crn, created_at, iam_id as user_iam_idfrom ibm_iam_api_key;
Access key count by user name
Assess the distribution of access keys across different users to understand their individual API usage. This is useful for auditing purposes and to ensure appropriate access control.
select u.user_id, count (key.id) as api_key_countfrom ibm_iam_api_key as key, ibm_iam_user as uwhere u.iam_id = key.iam_idgroup by u.user_id;
select u.user_id, count(key.id) as api_key_countfrom ibm_iam_api_key as key, ibm_iam_user as uwhere u.iam_id = key.iam_idgroup by u.user_id;
List keys older than 90 days
Determine the API keys that have been in use for more than 90 days. This query can help identify potentially outdated keys for review, enhancing security and access management.
select key.id as api_key_id, key.name as api_key_name, u.user_id, extract( day from current_timestamp - key.created_at ) as age, key.account_idfrom ibm_iam_api_key as key, ibm_iam_user as uwhere key.iam_id = u.iam_id and extract( day from current_timestamp - key.created_at ) > 90;
select key.id as api_key_id, key.name as api_key_name, u.user_id, julianday('now') - julianday(key.created_at) as age, key.account_idfrom ibm_iam_api_key as key, ibm_iam_user as uwhere key.iam_id = u.iam_id and julianday('now') - julianday(key.created_at) > 90;
Control examples
Schema for ibm_iam_api_key
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The ID fof the account. |
api_key | text | The API key value. This property only contains the API key value for the following cases: create an API key, update a service ID API key that stores the API key value as retrievable, or get a service ID API key that stores the API key value as retrievable. | |
created_at | timestamp with time zone | Specifies the date and time, the API key is created. | |
crn | text | Cloud Resource Name of the API key. | |
description | text | The description of the API key. | |
entity_tag | text | Version of the API Key details object. | |
history | jsonb | History of the API key. | |
iam_id | text | The iam_id that this API key authenticates. | |
id | text | Unique identifier of this API Key. | |
modified_at | timestamp with time zone | Specifies the date and time, the API key las modified. | |
name | text | Specifies the name of the API key. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm
You can pass the configuration to the command with the --config
argument:
steampipe_export_ibm --config '<your_config>' ibm_iam_api_key