Developing software in the Real World

Setting up IBM Cloud Object Storage

For a little website that I’m writing, I thought that I’d use IBM Cloud Object Storage (equivalent to AWS S3) as I’m generating the pages using OpenWhisk on IBM Cloud Functions. The documentation is quite good if you want to use the website, but is a bit spread all over the place if you’re using the command line, which is how I do things.

As Cloud Object Storage is a bit of a mouthful, I’ll no doubt abbreviate to COS at times.

Also, make sure that you have the ibmcloud command line tool installed and are logged in to it.

Install Cloud Object Storage

While COS is availabel on the CF marketplace, it’s a global service rather than a per-instance one, so it needs to be added to your account via the website. At least, I couldn’t find a way to use the ibmcloud CLI to add a global service. Hopefully this will be provided at some point.

To install, log into your IBM Cloud account, find Cloud Object Storage in the Catalog(sic) and run through the wizard to create an instance on the Lite plan. I called my instance objectstorage.

Add the COS CLI plugin

18th June 2019. Update: The COS plugin is back!

8 April 2019. Update: The COS plugin has been removed with no explanation, so you’ll need to use curl nowadays.

There’s a handy COS plugin for the CLI tool, so we’ll install it.

To use the COS plugin, we need to configure it with our region and objectstore‘s unique number, known as a CRN. The CRN is available using the command:

The CRN is labelled ID and starts with “crn:v1:“. We now configure the COS plugin using:

And enter your CRN at the prompt. The region defaults to us-geo which may be fine, but I wanted Europe.

Test that it’s working using:

Create a bucket

Creating a bucket via the CLI is easy:

Where mybucket is the name of the bucket. Note that this name needs to be globally unique, so prefix it with your initials or something similar.

You can also do it via the API. For this you need your bearer token which can be found in ibmcloud iam oauth-tokens. It’s the really long string after "IAM token: Bearer", so the easiest thing is to put it into an environment variable:

You also need the service instance’s GUID. This can be found using ibmcloud resource service-instance objectstore, but again, it’s easiest to put into an environment variable using:

To create the bucket via curl:

Uploading and downloading files

To add files to the bucket, PUT to the filename:

You must set the correct Content-Type header and use the -T option for files. For example, to upload an image:

All the possible operations are documented on the Using curl page. For example, you can delete the file by using the DELETE method

We can retrieve the file from the URL we PUT to. As we set the x-amz-acl header to public-read, no authentication is required. Remove this header if the file is to be kept private.

Creating application-specific credentials

While it is easy to use the bearer token attached to our account, we don’t want to use this for our applications where we also want to limit what any given application can do. To create application-specfic credentials, we create a service ID:

We then create a permissions policy for our bucket:

This command creates a new policy for our “myappservice” service ID which assigns the Writer role to the mybucket bucket within our objectstore service. The available roles can be viewed using ibmcloud iam roles. Note that we need the objectstore GUID for the argument to –service-instance, not its ID/CRN.

You can view all policies that a service ID has using ibmcloud iam service-policies myappservice which can be handy to ensure that you’ve set it up correctly.

To attach these to our actual bucket, we create a service-key to join our service ID to the service:

This will return a set of credentials. Make a note of the apikey as we’ll need it to create the token in the app.

Creating a bearer token from an api key

To access the COS bucket, we need to use a bearer token. The system is OAuth, so we can get the token we need with a POST request to a /token endpoint:

The response holds the bearer token that we need in the access_token property. We can then use that with the COS API to manage files within our bucket.

Adding a CDN

To add a CDN, we have to use the website from what I can tell. I used the instructions from the middle of this tutorial.

6 thoughts on “Setting up IBM Cloud Object Storage

  1. Hi, Rob.
    I tried to install the plugin by the following command and it failed as "Plug-in 'cloud-object-storage' was not found on disk or in the repository 'IBM Cloud'."
    How did you specify a repository where cloud-object-storage exists?

  2. Hey Rob, quick update as of June 18th 2019.

    IBM Cloud Cloud Object Storage (COS) plugin for ibmcloud CLI is available again.

  3. Hello Guys
    I'm new in IBM COS, and lost the COS Manager Web account, can someone help how to recover o to set a new one.


Thoughts? Leave a reply

Your email address will not be published. Required fields are marked *