I mentioned previously that an IBM Cloud trusted profile could not create an API key to act on its behalf.
However, if your user ID has permission to act as a trusted profile, you can use your own API key to authenticate as yourself, and then exchange this authentication token for a time-limited token belonging to the trusted profile. You can then use the latter token to perform actions as the trusted profile.
IBM Cloud IAM provides an “assume” API for this purpose. Here is an example of its use:
# Exchange my IAM token for a trusted profile token
tp_exchange = { 'grant_type' : 'urn:ibm:params:oauth:grant-type:assume',
'access_token' : headers['Authorization'].split(' ')[1],
'profile_name' : 'scott-test',
'account' : '187851. . .d02e02' }
tp_token = requests.post('https://iam.cloud.ibm.com/identity/token', data = tp_exchange).json()
# Make subsequent calls using the trusted profile identity
headers['Authorization'] = f"Bearer {tp_token['access_token']}"
full◦valence 