Table: ibm_iam_my_api_key - Query IBM IAM API Keys using SQL
IBM Identity and Access Management (IAM) is a service within IBM Cloud that manages access to resources and applications. It provides a centralized way to manage API keys, service IDs, access groups, and policies. IBM IAM helps you control who has access to your IBM cloud resources and services, and what actions they can perform.
Table Usage Guide
The ibm_iam_my_api_key
table provides insights into API keys within IBM Identity and Access Management (IAM). As a security or DevOps engineer, explore API key-specific details through this table, including permissions, creation time, and associated metadata. Utilize it to uncover information about API keys, such as those with unrestricted permissions and the verification of access policies.
Important Notes
- To query all API keys in an account, use the
ibm_iam_api_key
table.
Examples
Basic info
Discover the segments that help you understand the creation and user details of your IBM IAM API keys. This can be useful to track key creation and usage patterns for security and auditing purposes.
select name, id, crn, created_at, iam_id as user_iam_idfrom ibm_iam_my_api_key;
select name, id, crn, created_at, iam_id as user_iam_idfrom ibm_iam_my_api_key;
Access key count by user name
Assess the elements within your IBM IAM system to understand the distribution of API keys among users. This can be useful for identifying users with an unusually high number of keys, which could suggest a potential security risk.
select u.user_id, count (key.id) as api_key_countfrom ibm_iam_my_api_key as key, ibm_iam_user as uwhere u.iam_id = key.iam_idgroup by u.user_id;
select u.user_id, count(key.id) as api_key_countfrom ibm_iam_my_api_key as key, ibm_iam_user as uwhere u.iam_id = key.iam_idgroup by u.user_id;
List keys older than 90 days
Discover the segments that have API keys older than 90 days to maintain security and ensure timely key rotation. This helps in managing outdated keys which may pose potential security risks.
select key.id as api_key_id, key.name as api_key_name, u.user_id, extract( day from current_timestamp - key.created_at ) as age, key.account_idfrom ibm_iam_my_api_key as key, ibm_iam_user as uwhere key.iam_id = u.iam_id and extract( day from current_timestamp - key.created_at ) > 90;
select key.id as api_key_id, key.name as api_key_name, u.user_id, julianday('now') - julianday(key.created_at) as age, key.account_idfrom ibm_iam_my_api_key as key, ibm_iam_user as uwhere key.iam_id = u.iam_id and julianday('now') - julianday(key.created_at) > 90;
Schema for ibm_iam_my_api_key
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The ID fof the account. |
api_key | text | The API key value. This property only contains the API key value for the following cases: create an API key, update a service ID API key that stores the API key value as retrievable, or get a service ID API key that stores the API key value as retrievable. | |
created_at | timestamp with time zone | Specifies the date and time, the API key is created. | |
crn | text | Cloud Resource Name of the API key. | |
description | text | The description of the API key. | |
entity_tag | text | Version of the API Key details object. | |
history | jsonb | History of the API key. | |
iam_id | text | The iam_id that this API key authenticates. | |
id | text | Unique identifier of this API Key. | |
modified_at | timestamp with time zone | Specifies the date and time, the API key las modified. | |
name | text | Specifies the name of the API key. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm
You can pass the configuration to the command with the --config
argument:
steampipe_export_ibm --config '<your_config>' ibm_iam_my_api_key