Manage Access Rules
SecretHub uses access rules to determine whether an account is allowed to perform certain actions.
Access rules are defined on a directory and give an account access rights: read
, write
or admin
permissions.
An access rule applies to the directory itself and all the secrets and directories it contains.
Access rules on the repository root are special.
Not only do they grant permissions on all contents of the repository, it also grants permission on the repository itself.
For instance, only users with admin
permissions on the repository root may invite other users to join.
All Commands
To manage access rules, you can use the following commands:
acl check
- check permissions on pathacl ls
- list access rulesacl set
- create or update access rulesacl rm
- remove access rules
Check
To check what permissions accounts have on a specific directory, use the acl check
command:
secrethub acl check [options] <namespace>/<repo>[/dir] [<account-name>]
The acl check
command prints a list of all accounts that have access to the given directory and their corresponding permission.
Arguments
-
<namespace>/<repo>[/<dir>]
(string) - The path to the directory to check permissions for.
-
[<account-name>]
(string) - Optionally display only the permission for the given account.
List
To list access rules that apply to a given path, you can use the acl ls
command:
secrethub acl ls [options] <namespace>/<repo>[/<dir>]
The acl ls
command prints out a list of access rules defined on the directory itself or on any of its descendants.
Arguments
-
<namespace>/<repo>[/<dir>]
(string) - The path to the directory to list access rules for.
Flags
-
--depth
(int) - The maximum depth to which the rules of child directories should be displayed. Setting it to 0 means no rules of child directories are shown.
-
--all
(boolean) - List all rules that apply on the directory itself, including rules defined on parent directories.
Set
To set an access rule on a given path, you can use the acl set
command:
secrethub acl set [options] <namespace>/<repo>[/<dir>] <account-name> <permission>
The acl set
command works like an upsert, either creating a new rule or updating an existing one.
Arguments
<namespace>/<repo>[/<dir>]
- The path to the directory to set the access rule on.
-
<account-name>
(string) - The account name (username or service name) to set the access rule for.
-
<permission>
(string) - The permission to grant with the access rule, must be either
read
(read-only),write
(read and write), oradmin
(read, write and admin).
Remove
To remove an access rule for an account on a directory, you can use the acl rm
command:
secrethub acl rm [options] <namespace>/<repo>[/<dir>] <account-name>
The acl rm
command removes an access rule so the SecretHub servers will deny the account access afterwards.
However, it is important to note that removing an access rule does not actually revoke an account from the repository and consequently does NOT trigger secret rotation.
To revoke an account from a repository, you can use the repo revoke
command.
Read more about the repo revoke
command on this page.
Arguments
-
<namespace>/<repo>[/<dir>]
(string) - The path to the directory to remove the access rule from.
-
<account-name>
(string) - The account name (username or service name) whose access rule to remove.