Managing access rules
SecretHub uses access rules to determine whether an account is allowed to perform certain actions.
Access rules are defined on a directory and give an account access rights:
An access rule applies to the directory itself and all the secrets and directories it contains.
Access rules on the repository root are special.
Not only do they grant permissions on all contents of the repository, it also grants permission on the repository itself.
For instance, only users with
admin permissions on the repository root may invite other users to join.
To manage access rules, the
acl subcommand can be used.
Below each command is described in detail.
acl check- check permissions on path
acl ls- list access rules
acl set- create or update access rules
acl rm- remove access rules
To check what permissions accounts have on a specific directory, use the
acl check command:
secrethub acl check [options] <namespace>/<repo>[/dir] [<account-name>]
acl check command prints a list of all accounts that have access to the given directory and their corresponding permission.
- The path to the directory to check permissions for.
- Optionally display only the permission for the given account.
To list access rules that apply to a given path, you can use the
acl ls command:
secrethub acl ls [options] <namespace>/<repo>[/<dir>]
acl ls command prints out a list of access rules defined on the directory itself or on any of its descendants.
- The path to the directory to list access rules for.
- The maximum depth to which the rules of child directories should be displayed. Setting it to 0 means no rules of child directories are shown.
- List all rules that apply on the directory itself, including rules defined on parent directories.
To set an access rule on a given path, you can use the
acl set command:
secrethub acl set [options] <namespace>/<repo>[/<dir>] <account-name> <permission>
acl set command works like an upsert, either creating a new rule or updating an existing one.
- The path to the directory to set the access rule on.
- The account name (username or service name) to set the access rule for.
- The permission to grant with the access rule, must be either
write(read and write), or
admin(read, write and admin).
To remove an access rule for an account on a directory, you can use the
acl rm command:
secrethub acl rm [options] <namespace>/<repo>[/<dir>] <account-name>
acl rm command removes an access rule so the SecretHub servers will deny the account access afterwards.
However, it is important to note that removing an access rule does not actually revoke an account from the repository and consequently does NOT trigger secret rotation.
To revoke an account from a repository, you can use the
repo revoke command.
Read more about the
repo revoke command on this page.
- The path to the directory to remove the access rule from.
- The account name (username or service name) whose access rule to remove.