-
Notifications
You must be signed in to change notification settings - Fork 2
Migrating from Role Grants to Access Rules
To increase flexibility when managing thousands of Resources, Role Grants have been deprecated in favor of Access Rules, which allow you to grant access based on Resource Tags and Type.
The following examples demonstrate the deprecated Role Grants, Dynamic Access Rules with Tags and Resource Types, and Static Access Rules for backwards compatibility with Role Grants.
This guide only applies to version 2.0 and up of the Go SDK. Prior to 2.0, the SDK includes only rudimentary beta support for access rules. Prior to 0.9.33, it does not support access rules at all. We strongly recommend upgrading to 2.0 when it is available.
Furthermore, before you can use access rules, your organization must undergo the "Access Overhaul" migration to enable the new UI and a myriad of other features. Contact [email protected] to learn more.
Previously, you would grant a role access to specific resources by ID via role grants:
role := &sdm.Role{
Name: "Engineering",
}
roleResp, err := client.Roles().Create(ctx, role)
if err != nil {
return err
}
role = roleResp.Role
resource := &sdm.Redis{
Name: "Session Cache Server",
Hostname: "example.com",
Port: 6379,
PortOverride: 4020,
Tags: sdm.Tags{
"region": "us-west",
"env": "dev",
},
}
resourceResp, err := client.Resources().Create(ctx, resource)
if err != nil {
return err
}
resource = resourceResp.Resource.(*sdm.Redis)
roleGrant := &sdm.RoleGrant{
RoleID: role.ID,
ResourceID: resource.GetID(),
}
roleGrantResp, err := client.RoleGrants().Create(ctx, roleGrant)
if err != nil {
return err
}
roleGrant = roleGrantResp.RoleGrantWhen using Access Rules the best practice is to grant Resources access based on Type and Tags.
role := &sdm.Role{
Name: "Engineering",
AccessRules: sdm.AccessRules{
// grant access to all dev environment resources in us-west
sdm.AccessRule{
Tags: sdm.Tags{
"region": "us-west",
"env": "dev",
},
},
// grant access to all postgres resources
sdm.AccessRule{
Type: "postgres",
},
// grant access to all redis resources in us-east
sdm.AccessRule{
Type: "redis",
Tags: sdm.Tags{
"region": "us-east",
},
},
},
}
roleResp, err := client.Roles().Create(ctx, role)
if err != nil {
return err
}
role = roleResp.RoleIf it is necessary to grant access to specific Resources in the same way as RoleGrants did, you can use Resource IDs directly in Access Rules.
resourceResp, err := client.Resources().Get(ctx, resourceID)
if err != nil {
return err
}
resource := resourceResp.Resource
roleResp, err := client.Roles().Get(ctx, roleID)
if err != nil {
return err
}
role := roleResp.Role
role.AccessRules = sdm.AccessRules{
sdm.AccessRule{
IDs: []string{resource.GetID()},
}
}
updateResp, err := client.Roles().Update(ctx, role)
if err != nil {
return err
}
role = updateResp.RoleIf you like, you can also write your access rules in raw JSON:
accessRulesJSON := `[
{ "type": "postgres", "tags": {"env": "prod"} },
{ "ids": ["rs-1234"] }
]`
accessRules, err := sdm.ParseAccessRulesJSON(accessRulesJSON)
if err != nil {
return err
}
role.AccessRules = accessRules
// ...