Access Roles & RBAC

Akeyless RBAC follows the least privilege principle to limit access rights for machines/human users to the bare minimum of permissions they need to perform their work.

We associate specific clients with a certain Authentication Method to an Access Role to increase operational flexibility. The user can define any number of roles with permissions per each role.

11701170

Access Roles can be configured to grant permissions on Secrets & Encryption Keys, Targets, Authentication methods and Access Roles, you can also control user access to audit logs, analytics, Gateways settings and Secure Remote Access information.

To set permission for a user to work with any item in the Platform, an appropriate Access Role must be assigned to the Authentication Method that represents this user. By default, users don't have any permissions in Akeyless unless explicitly granted.

To Associate an Authentication Methods with a role from the Akeyless Command Line Interface (CLI) run the following commands to create an API Key:

akeyless create-auth-method --name client1

Create a new access role:

akeyless create-role --name role1

Set all the authentication methods associated with a role to access all Secrets & Encryption Keys under /path/to/folder/ with read, create, and update permissions:

akeyless set-role-rule --role-name role1 --path "/path/to/folder/*" --capability read --capability create --capability update

To set the role with access for additional items type like Targets, Authentication Method, or Access Roles, you can simply set the rule-type inside the command:

akeyless set-role-rule --role-name role1 --path "/path/to/folder/*" --rule-type target-rule --capability read --capability create --capability update
akeyless set-role-rule --role-name role1 --path "/path/to/folder/*" --rule-type auth-method-rule --capability read --capability create --capability update
akeyless set-role-rule --role-name role1 --path "/path/to/folder/*" --rule-type role-rule --capability read --capability create --capability update

Despite the fact that unless granted explicitly, users does not have access to items, to protect sensitive items from access, you can deny all the authentication methods associated with a role to access the relevant item for example /path/to/folder/topSecret:

akeyless set-role-rule --role-name role1 --path /path/to/folder/topSecret --capability deny

Add client1 to the role1, so client1 will be able to access all items under /path/to/folder/ apart from /path/to/folder/topSecret:

akeyless assoc-role-am --role-name role1 --am-name client1

For example, using Akeyless Console, you can configure an access role of "Jenkins environment" with API-key auth method ("Client1"), setting specific permissions per different paths.

28702870

Access Roles Syntax

👍

Permission Hierarchy

Deny overrides all permissions.
List is a required permission to grant delete or update.

In general, you can set an Access Role to a specific item only:

In this example we will create a role that grants read permission to mysecret, which is located under /foo folder:

akeyless set-role-rule --role-name role1 --path "/foo/mysecret" --capability read

To provide access to all secrets with a well-defined prefix:

In this example we will create a role that grants read permission to all secrets that start with devops- prefix, which are located under /foo folder:

akeyless set-role-rule --role-name role1 --path "/foo/devops-*" --capability read

In addition, a + can be used to denote any number of characters bounded within a single path segment:

akeyless set-role-rule --role-name role1 --path "foo/+/+/bar/*" --capability read

This Access Role will permit reading secrets under those folders path:
foo/any/folder/bar/*, foo/other/folder/bar/*, etc.


Did this page help you?