Manage Roles and Permissions

Roles in Boundary manage the permissions given to principals (Users/Groups). Roles can be defined at the global, org, or project scopes.

In this example, we’re going to show you how to create a role in Boundary, assign that roles grants, and assign principals to the role.

Note that all resource IDs in this example are illustration only - IDs are uniquely generated for every resource upon creation with the exception being generated resources in dev mode. Please make sure to use the resource IDs that are generated when running this example. For example, if you run boundary roles create, use the resource ID of the role seen in stdout, not the ID in the example command.

Create a Role

Roles can live in the global, org, or project scopes. In this example we will create a role in the generated org scope in dev mode.

CLIAdmin ConsoleTerraform

Manage Roles - 图1

Manage Roles - 图2

  1. $ boundary roles create -scope-id o_1234567890 -name my_role -description "My first role"
  3. Role information:
  4.   Created Time:        Fri, 09 Oct 2020 14:19:22 PDT
  5.   Description:         My first role
  6.   Grant Scope ID:      o_1234567890
  7.   ID:                  r_kHY8tQteXr
  8.   Name:                my_role
  9.   Updated Time:        Fri, 09 Oct 2020 14:19:22 PDT
  10.   Version:             1
  12.   Scope:
  13.     ID:                o_1234567890
  14.     Name:              Generated org scope
  15.     Parent Scope ID:   global
  16.     Type:              org

Assign Principals to a Role

Users and groups are granted permissions to perform actions by assigning them to a role.

CLIAdmin ConsoleTerraform

Manage Roles - 图3

Manage Roles - 图4

  1. boundary roles add-principals -id $role_id -principal $principal_id
  3. Role information:
  4.   Created Time:        Fri, 09 Oct 2020 14:45:47 PDT
  5.   Description:         My first role
  6.   Grant Scope ID:      o_1234567890
  7.   ID:                  r_CqEl81Io1C
  8.   Name:                test
  9.   Updated Time:        Fri, 09 Oct 2020 16:31:39 PDT
  10.   Version:             2
  12.   Scope:
  13.     ID:                o_1234567890
  14.     Name:              Generated org scope
  15.     Parent Scope ID:   global
  16.     Type:              org
  18.   Principals:
  19.     ID:             u_gAv6YgVtVs
  20.       Type:         user
  21.       Scope ID:     o_1234567890

Assign Grants to a Role

Grants describe the actions that the principals should be allowed to perform. For more information on how to format grants see Permission Grant Formats. In this example we give a role read and list permissions to all resources.

CLIAdmin ConsoleTerraform

Manage Roles - 图5

Manage Roles - 图6

  1. boundary roles add-grants -id $role_id -grant 'id=*;type=*;actions=read,list'
  3. Role information:
  4.   Created Time:        Fri, 09 Oct 2020 14:45:47 PDT
  5.   Description:         My first role
  6.   Grant Scope ID:      o_1234567890
  7.   ID:                  r_CqEl81Io1C
  8.   Name:                test
  9.   Updated Time:        Fri, 09 Oct 2020 17:15:47 PDT
  10.   Version:             3
  12.   Scope:
  13.     ID:                o_1234567890
  14.     Name:              Generated org scope
  15.     Parent Scope ID:   global
  16.     Type:              org
  18.   Principals:
  19.     ID:             u_gAv6YgVtVs
  20.       Type:         user
  21.       Scope ID:     o_1234567890
  23.   Canonical Grants:
  24.     id=*;type=*;actions=list,read