Access Control

Access control is a powerful system for managing user and group access in a single place. Updates are applied near-instantly (within seconds) to destination infrastructure, making it possible to escalate and revoke a user's access on-demand.


Access is managed via Access Grants. These records determine determine who can access what with which permission or role. Grants tie three components together to enable access:

  • A user or group (e.g.
  • A role (e.g. admin)
  • A resource (e.g. dev-cluster)



Infra allows granting different levels of access via roles, such as view, edit or admin. Different infrastructure destinations support different roles. For example, view a list of roles supported by Kubernetes.


A resource is an infrastructure resource managed by Infra. Examples include:

  • A Kubernetes cluster (e.g. dev-cluster)
  • A Kubernetes namespace (e.g. dev-cluster.kube-system)

Granting access

To grant access, use infra grants add. Note: the user you grant access to must already exist. To grant a user the edit role on a cluster named staging run:

infra grants add staging --role edit

Note: the same command can be used to grant access to a group using the boolean --group flag:

infra grants add --group engineering staging --role edit

Revoking access

To revoke access, use infra grants remove:

infra grants remove staging --role edit

Inspecting access

infra grants list
  USER                 ROLE     DESTINATION     edit     development  view     production

  Engineering    edit      development.monitoring
  Engineering    view      production
  Design         edit      development.web