IBM Data and AI Ideas Portal for Customers


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The product management team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.

Additional Information

To view our roadmaps: http://ibm.biz/Data-and-AI-Roadmaps

Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases

IBM Employees:

The correct URL for entering your ideas is: https://hybridcloudunit-internal.ideas.aha.io


Status Future consideration
Workspace Cloud Pak for Data
Components Watson Studio
Created by Guest
Created on Apr 24, 2021

AWS IAM Role Compatibility with S3 Connections

Problem Statement/Pain Points: We work with a government agency who has specific security requirements and we are utilizing Cloud Pak for Data within their environment. They have a need for utilizing S3 Data Connections to resources in AWS GovCloud. Currently, Cloud Pak for Data S3 Data Connections only allow Access Key/Secret Key to authenticate to the service. However, we are required to utilize more secure connection options than username/password (which is essentially the same as an Access Key/Secret Key). However, since IAM Role credentials are not stored within the application, then we are able to avoid this issue.

State your current workaround(s): We are currently utilizing Access Keys and Secret Keys and therefore have to enter a POAM with our client in order to remain compliant.

State any proposed solution(s): Allow user to have the ability to utilize either Access Keys and Secret Keys or AWS IAM Roles with S3 Connections. With IAM Roles, an application or a service offered by AWS (like Amazon EC2) can assume a role by requesting temporary security credentials for a role with which to make programmatic requests to AWS. You use a role this way so that you do not have to share or maintain long-term security credentials (for example, by creating an IAM user with Access Key and Secret Key) for each entity that requires access to a resource. An apparent limitation of this is that it limits the number of unique S3 Data Connections that we are allowed while using IAM Roles (since the roles would be assigned to the EC2 Cloud Pak for Data nodes). Therefore, we are interested in alternative solutions to meet this need while overcoming this limitation.

State the benefits/value this idea has: Per AWS best practices, for applications on Amazon EC2 or other AWS services to access Amazon S3 resources, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or Amazon EC2 instance. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised. Instead, you should use an IAM role to manage temporary credentials for applications or services that need to access Amazon S3. When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance or AWS service such as AWS Lambda. The role supplies temporary permissions that applications can use when they make calls to other AWS resources. [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html]

State # of users impacted and how often are they impacted): All users utilizing AWS S3 Buckets within Cloud Pak for Data would benefit

Needed by Date Apr 26, 2022
  • Guest
    Apr 28, 2021

    This would be a great benefit to Federal organizations that have a mandate to use a more secure method of authentication than hardcoded keys/secrets. Using roles would also provide greater flexibility in access while maintaining high level of security.

  • Guest
    Apr 26, 2021

    This is a much needed service, and any gov organization is going to run into a compliance issue utilizing the AWS Access Key/Secret vs the IAM role to support this connection. Having the ability to utilize the IAM role within CP4D would greatly benefit maintaining the Security and Compliance of CP4D.