This portal is to open public enhancement requests against IBM Cloud and its products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
IBM Cloud Support Center (https://cloud.ibm.com/unifiedsupport/cases/form) – Use this site for any IBM Cloud defect or support need.
Stack Overflow (https://stackoverflow.com/questions/tagged/ibm-cloud) – Use this site for IBM Cloud technical Q&A using the tag "ibm-cloud".
firstname.lastname@example.org - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
While the automation need is understandable, this introduces the risk of potentially expose the admins api key at account creation time if returned without authentication, and also possibly leading to sharing of the key between users. There are also conflicts that could potentially arise with default IAM settings at account creation (e.g. MFA)
I would think to help with automation, when using the API's to generate an Enterprise Sub Account, the identified owner of the new account should automatically have an API Key generated, which is returned in the output when the sub account is created. Today, you generate the sub account, then manually log into that account via the CLI using the --sso option or through the web console, then generate a new API key. Only then can you use that API key to automate the rest of the account setup. We're trying to skip that middle step.
Yes, we are aware of the IAM API for creating an API key. But that requires authentication of the caller.
To clarify the scenario, the issue arrises at the time of account creation. The only user that exists is the account owner and the creation of its API key is not automated.
IAM does provide an API to create API keys https://cloud.ibm.com/apidocs/iam-identity-token-api#create-api-key
Could you please provide more detail to help better understand this?