Create IBM Cloud Service Credentials with the IBM Cloud CLI

To access an IBM Cloud service instance, you need service credentials. These credentials can be generated via the IBM Cloud Dashboard or the IBM Cloud CLI. My preferred approach is always to use the CLI, but it can be confusing the first few times you attempt it. Here’s a quick cheat sheet:

1. Create the service instance (read more about service instance creation via the CLI). Here is an example of creating a Watson Tone Analyzer instance named myta:

ibmcloud resource service-instance-create myta tone-analyzer lite eu-de

2. Create a service key associated with that service instance. Make sure that you assign an appropriate role to the key depending on the privileges required (for example, Manager or Writer for write access). Here is an example of creating a service key named myta-key:

ibmcloud resource service-key-create myta-key Manager --instance-name myta

The response to the above request contains an apikey field with an API key.

3. Obtain an OAuth access token using the apikey returned at the end of the previous step. Here is an example of making a request for an OAuth access token:

curl -X POST '' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=YOUR-APIKEY-HERE'

The response to the above request contains an access_token field holding a time-limited OAuth access token.

4. You can now access and work with the IBM Cloud service instance by attaching the OAuth token to your requests as a credential. The actual request parameters and headers will differ from service to service – refer to the service documentation for specific details. For example, here is an example of sending an authenticated request to the Watson Tone Analyzer service instance created above:

curl -X GET '' -H "Authorization: Bearer YOUR-TOKEN-HERE"

The screenshot below shows an example session: