-
Notifications
You must be signed in to change notification settings - Fork 8
Migrating from Role Grants to Access Rules
To increase flexibility when managing thousands of Resources, Role Grants have been deprecated in favor of Access Rules, which allow you to grant access based on Resource Tags and Type.
The following examples demonstrate the deprecated Role Grants, Dynamic Access Rules with Tags and Resource Types, and Static Access Rules for backwards compatibility with Role Grants.
This guide only applies to version 2.0 and up of the Python SDK. Prior to 2.0, the SDK includes only rudimentary beta support for access rules. Prior to 1.0.27, it does not support access rules at all. We strongly recommend upgrading to 2.0 when it is available.
Furthermore, before you can use access rules, your organization must undergo the "Access Overhaul" migration to enable the new UI and a myriad of other features. Contact [email protected] to learn more.
Previously, you would grant a role access to specific resources by ID via role grants:
role = strongdm.Role(name = "Engineering")
role = client.roles.create(role).role
resource = strongdm.Redis(
name = "Session Cache Server",
hostname = "example.com",
port = 6379,
port_override = 4020,
tags = {"env": "dev", "region": "us-west"},
)
resource = client.resources.create(resource).resource
role_grant = strongdm.RoleGrant(
role_id = role.id,
resource_id = resource.id,
)
role_grant = client.role_grants.create(role_grant).role_grant
When using Access Rules the best practice is to grant Resources access based on Type and Tags.
role = strongdm.Role(
name = "Engineering",
access_rules = [
# grant access to all dev environment resources in us-west
{
"tags": {
"region": "us-west",
"env": "dev",
},
},
# grant access to all postgres resources
{
"type": "postgres",
},
# grant access to all redis resources in us-east
{
"type": "redis",
"tags": {
"region": "us-east",
},
},
],
)
role = client.roles.create(role).role
If it is necessary to grant access to specific Resources in the same way as RoleGrants did, you can use Resource IDs directly in Access Rules.
resource = client.resources.get(resource_id).resource
role = client.roles.get(role_id).role
role.access_rules = [
{ "ids": [resource.id] },
]
role = client.roles.update(role).role
If you like, you can also write your access rules in raw JSON:
import json
access_rules_json = '''[
{ "type": "postgres", "tags": {"env": "prod"} },
{ "ids": ["rs-1234"] }
]'''
role.access_rules = json.loads(access_rules_json)
# ...