Manage Access Rules

SecretHub uses access rules to determine whether an account is allowed to perform certain actions. Access rules are defined on a directory and give an account access rights: read, write or admin permissions. An access rule applies to the directory itself and all the secrets and directories it contains.

Access rules on the repository root are special. Not only do they grant permissions on all contents of the repository, it also grants permission on the repository itself. For instance, only users with admin permissions on the repository root may invite other users to join.

All Commands

To manage access rules, you can use the following commands:


To check what permissions accounts have on a specific directory, use the acl check command:

secrethub acl check [options] <namespace>/<repo>[/dir] [<account-name>]

The acl check command prints a list of all accounts that have access to the given directory and their corresponding permission.


<namespace>/<repo>[/<dir>] (string)
The path to the directory to check permissions for.
[<account-name>] (string)
Optionally display only the permission for the given account.


To list access rules that apply to a given path, you can use the acl ls command:

secrethub acl ls [options] <namespace>/<repo>[/<dir>]

The acl ls command prints out a list of access rules defined on the directory itself or on any of its descendants.


<namespace>/<repo>[/<dir>] (string)
The path to the directory to list access rules for.


--depth (int)
The maximum depth to which the rules of child directories should be displayed. Setting it to 0 means no rules of child directories are shown.
--all (boolean)
List all rules that apply on the directory itself, including rules defined on parent directories.


To set an access rule on a given path, you can use the acl set command:

secrethub acl set [options] <namespace>/<repo>[/<dir>] <account-name> <permission>

The acl set command works like an upsert, either creating a new rule or updating an existing one.


The path to the directory to set the access rule on.
<account-name> (string)
The account name (username or service name) to set the access rule for.
<permission> (string)
The permission to grant with the access rule, must be either read (read-only), write (read and write), or admin (read, write and admin).


To remove an access rule for an account on a directory, you can use the acl rm command:

secrethub acl rm [options] <namespace>/<repo>[/<dir>] <account-name>

The acl rm command removes an access rule so the SecretHub servers will deny the account access afterwards. However, it is important to note that removing an access rule does not actually revoke an account from the repository and consequently does NOT trigger secret rotation. To revoke an account from a repository, you can use the repo revoke command. Read more about the repo revoke command on this page.


<namespace>/<repo>[/<dir>] (string)
The path to the directory to remove the access rule from.
<account-name> (string)
The account name (username or service name) whose access rule to remove.