Access Control

Access control is a powerful system for managing user and group access in a single place. Updates are applied near-instantly (within seconds) to destination infrastructure, making it possible to escalate and revoke a user's access on-demand.

Overview

Access is managed via Access Grants. These records determine determine who can access what with which permission or role. Grants tie three components together to enable access:

  • A user or group (e.g. jeff@acme.co)
  • A role (e.g. admin)
  • A resource (e.g. dev-cluster)

grants

Roles

Infra allows granting different levels of access via roles, such as view, edit or admin. Different infrastructure destinations support different roles. For example, view a list of roles supported by Kubernetes.

Resources

A resource is an infrastructure resource managed by Infra. Examples include:

  • A Kubernetes cluster (e.g. dev-cluster)
  • A Kubernetes namespace (e.g. dev-cluster.kube-system)

Granting access

To grant access, use infra grants add. Note: the user you grant access to must already exist. To grant a user the edit role on a cluster named staging run:

infra grants add user@example.com staging --role edit

Note: the same command can be used to grant access to a group using the boolean --group flag:

infra grants add --group engineering staging --role edit

Revoking access

To revoke access, use infra grants remove:

infra grants remove user@example.com staging --role edit

Inspecting access

infra grants list
  USER                 ROLE     DESTINATION
  jeff@infrahq.com     edit     development
  michael@infrahq.com  view     production

  GROUP          ROLE      DESTINATION
  Engineering    edit      development.monitoring
  Engineering    view      production
  Design         edit      development.web