Created
September 28, 2017 18:14
-
-
Save jvanderhoof/d9c1f7a6d9973fd2eb75ca57f888ef3d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # one person sharing credential with another | |
| - !user sue | |
| - !user bob | |
| - !variable super-secret-word | |
| - !permit | |
| role: !user bob | |
| resource: !variable super-secret-word | |
| privileges: [ read, execute ] | |
| - !permit | |
| role: !user sue | |
| resource: !variable super-secret-word | |
| privileges: [ read, execute, update ] | |
| # ---------------------------------------------- | |
| # credential sharing with a group | |
| - !user sue | |
| - !user bob | |
| - !user evan | |
| - !variable super-secret-word | |
| # create a developer group to hold developers | |
| - !group developers | |
| # add Bob and Evan to the developers group | |
| - !grant | |
| role: !group developers | |
| members: | |
| - !user bob | |
| - !user evan | |
| # create a sec-ops group | |
| - !group sec-ops | |
| # add Sue to the sec-ops group | |
| - !grant | |
| role: !group sec-ops | |
| member: !user sue | |
| # create a group to retrieve secrets | |
| - !group secrets-users | |
| # grant permission to the developer group to retreive secrets | |
| - !permit | |
| resource: !variable super-secret-word | |
| privileges: [ read, execute ] | |
| role: !group secrets-users | |
| # now we'll give the developer group permission to retreive secrets | |
| - !grant | |
| member: !group developers | |
| role: !group secrets-users | |
| # and now we can give the sec-ops group permission to retreive and set credentials, but let's create a permission group for them as well | |
| - !group secrets-managers | |
| - !permit | |
| resource: !variable super-secret-word | |
| privileges: [ update ] # [ read, execute, update ] | |
| role: !group secrets-managers | |
| - !grant | |
| member: !group sec-ops | |
| role: !group secrets-managers | |
| # we can cleanup with | |
| - !grant | |
| member: secrets-managers | |
| role: secrets-users | |
| # ---------------------------------------------- | |
| # example setting up a simple web application that requires a database username & password to connect | |
| - !policy: | |
| id: my-app | |
| body: | |
| - &variables | |
| - !variable database/username | |
| - !variable database/password | |
| - &hosts | |
| - !host production-my-app-1 | |
| - !host production-my-app-2 | |
| - !host production-my-app-3 | |
| - !layer | |
| - !grant | |
| members: *hosts | |
| role: !layer | |
| # Initially, just give them permission | |
| # - !permit | |
| # resource: *variables | |
| # privileges: [ read, execute ] | |
| # role: !layer | |
| # | |
| # - !permit | |
| # resource: *variables | |
| # privileges: [ read, execute, update ] | |
| # role: !group secrets-managers | |
| # Now refactor to use groups to manage permission rather than apply directly to layers | |
| - !group secrets-users | |
| - !permit | |
| resource: *variables | |
| privileges: [ read, execute ] | |
| role: !group secrets-users | |
| - !group secrets-managers | |
| - !permit | |
| resource: *variables | |
| privileges: [ update ] | |
| role: !group secrets-managers | |
| - !grant | |
| member: !group secrets-managers | |
| role: !group secrets-users | |
| - !grant | |
| member: !layer | |
| role: !group secrets-users | |
| # provide write access to sec ops group | |
| - !grant | |
| member: !group secrets-managers | |
| role: !group sec-ops | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment