Discovering IBM Cloud

IBM Cloud is the most open and secure public cloud for business.

Discovering IBM Cloud

You can access and configure all of your services, using the IBM Cloud Console. This section describes the settings and procedures required to discover services running in IBM Cloud.

Services and regulatory domains discovered

BMC Helix Discovery enables you to discover your cloud services running in IBM Cloud. 

The following set of IBM Cloud services can be discovered with the latest product content update:


Classic Infrastructure - is not supported because IBM marked it as obsolete.

VPC Infrastructure Generation 1 - is not supported because IBM marked it as obsolete.

VPC Infrastructure Generation 2 - is supported.

Required permissions

An account that is used for IBM Cloud discovery should have the following Roles: 

DefaultViewer 'iam-identity.apikey.get'

Steps on how to create and use custom roles:

1. Create a custom Role which is able to get apikey details (read-only access). 

    1. For more information refer to the IBM pages:
    2. Select the following:
      • Service - IAM Identity Service
      • Actions -  iam-identity.apikey.get

2. Add this role to 'discovery' user:

    1. Go to: Users > name > Access policies > Assign Access > Account management TAB.
    2. Select IAM Identity Service.
    3. Select Custom role.

Create IBM Cloud Api key

To perform discovery on IBM Cloud, you must provide an API key (credential) with which BMC Helix Discovery can access the IBM cloud. You can create the access key using the IBM Cloud API keys console. 

  1. Go to Manage > Access (IAM) > API Keys to create a new API key.

  2. You can download the API Key as a JSON file and then import it when you create a cloud credential in BMC Helix Discovery. For more information, see: Cloud credentials.

    If you lose the API key, you cannot retrieve it from the IAM console, you must create a new access key and use the new key in the BMC Helix Discovery cloud credential. You should keep a note of the API key until you have successfully tested the cloud credential. For more information, see: Testing cloud credentials.

Create a cloud credential in BMC Helix Discovery

Create the cloud credential in the same way as any other credential. The cloud credential uses the Access key as the equivalent of a username and password combination.

  1. From the BMC Helix Discovery Device Credentials page, click Add and select Cloud Provider from the drop-down list.
    The Add Credential page is displayed.
  2. Click the plus icon next to Credential Types to see the available Cloud Providers. Select IBM Cloud from the drop-down list.
  3. Add the API Key:
    • Name
    • Value
  4. (Optionally) Specify a proxy to use to access. To use a proxy, you must specify the following:
    • Hostname
    • Port
    • Username (only for authenticating proxies)
    • Password (only for authenticating proxies)
  5. The TLS Certificate Check option can be disabled if your proxy uses self-signed certificates. 


    If you disable the certificate check, your credentials could be intercepted by a man-in-the-middle attack.

  6. Click Apply to save the credential.

Test the credential 

Once you have created the credential, you should test it to ensure that it works.

  1. From the credentials page, click Devices.

  2. Filter the list to show cloud credentials.
  3. Click Actions for the IBM Cloud credential you added, and then click Test.
  4. The default region is US South (Dallas)
  5. Click Test.
    The screen below shows a successful test.

If the credential test was unsuccessful, click on the Failure status to see the details. Ensure that you copied the secret access key correctly.

The BMC Helix Discovery appliance must be able to access IBM using HTTPS (ports 443 and 80).

Run a cloud scan

To perform cloud discovery, from the BMC Helix Discovery Status page, use the Add New run control.

  1. Click Add New run
    The Add a Cloud Run dialog is displayed. Enter a Label for the cloud discovery run.
  2. To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with normally scheduled discovery runs. For more information, see: Scheduling information
  3. Select Cloud.
  4. Select the provider from the drop-down list. Select IBM Cloud
  5. Select the appropriate cloud credential. If none are available, you must add one.
  6. Select the region to scan, for example, for IBMUS South(Dallas). You can also select all regions by clicking the All button.
  7. Click OK.

Examine results

Once you have scanned, you can examine the results.

One more example of the scanning results is represented below: 

Scan the hosts running the VMs in the cloud

To perform a normal scan on the hosts running the VMs discovered in the cloud scan, use the Unscanned Cloud Hosts report on the Cloud Overview dashboard.

Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud, for example, using a VPN.

Public IP addresses do not respond to ICMP pings. You must disable "Ping before scanning", otherwise all scans are dropped reporting no response.

Database discovery

You can discover all supported databases in IBM Cloud. At the time of the release of BMC Helix Discovery 11.3, the following are supported:

  • MySQL
  • PostgreSQL

The following information is required to discover databases in IBM Cloud:

  • Endpoint – you can identify the database endpoint using the RDS Dashboard in the IBM Cloud Console. 
  • Incoming connections – you must permit incoming connections with a rule for an IP address or set of IP addresses. For example, to permit access to a MySQL database, from a single IP address, you would add a rule with the following parameters:
    • Type - MySQL
    • Protocol - TCP
    • Port Range - 3306
    • Source -

Then the database can be discovered as any MySQL database in your estate.

BMC Helix Discovery database credential


To discover a Database appropriate Database credentials must be created.

Information about Database credentials is available here in the Database credentials paragraph.

IBM Cloud discovery patterns

The GCP discovery patterns are available on the Manage > Knowledge page. They are located in the Pattern modules list, under Cloud > IBM

Related topics

For more information, refer to the following topics:

Was this page helpful? Yes No Submitting... Thank you