Managing Role Bindings

This page shows how to create, view, update, and delete role bindings using cofidectl and Terraform.

Prerequisites

• You must be logged in: cofidectl connect login
• You must hold the RoleBinding-owner or admin role on the target resource (or an ancestor of it).

Using cofidectl

List role bindings

# List all role bindings you can see
cofidectl role-binding list

# Filter by role
cofidectl role-binding list --role-id TrustZone-owner

# Filter by resource type and ID
cofidectl role-binding list --resource-type TrustZone --resource-id <trust-zone-id>

# Filter by user subject
cofidectl role-binding list --user-subject <subject>

# Filter by group claim value
cofidectl role-binding list --group-claim-value <claim-value>

Add a role binding

Grant a role to a user (identified by their JWT subject claim):

cofidectl role-binding add \
  --role-id TrustZone-owner \
  --resource-type TrustZone \
  --resource-id <trust-zone-id> \
  --user-subject [email protected]

Grant a role to a group (identified by a group claim value):

cofidectl role-binding add \
  --role-id Cluster-viewer \
  --resource-type Cluster \
  --resource-id <cluster-id> \
  --group-claim-value platform-team

Valid --resource-type values for role bindings are: System, Organization, TrustZone, Cluster.

Get a role binding

cofidectl role-binding get <role-binding-id>

Update a role binding

Change the role on an existing binding:

cofidectl role-binding update \
  <role-binding-id> \
  --role-id Organization-viewer

Delete a role binding

cofidectl role-binding del <role-binding-id>

Using Terraform

Use the cofide_connect_role_binding resource to manage role bindings as code.

Grant TrustZone-owner to a user on a trust zone

resource "cofide_connect_role_binding" "alice_tz_owner" {
  role_id = "TrustZone-owner"

  resource {
    type = "TrustZone"
    id   = cofide_connect_trust_zone.my_trust_zone.id
  }

  user {
    subject = "[email protected]"
  }
}

Grant Cluster-viewer to a group on a cluster

resource "cofide_connect_role_binding" "platform_cluster_viewer" {
  role_id = "Cluster-viewer"

  resource {
    type = "Cluster"
    id   = cofide_connect_cluster.my_cluster.id
  }

  group {
    claim_value = "platform-team"
  }
}

Common patterns

Granting organisation-level access to a team

Assign Organization-owner to a group so that an entire team can manage trust zones and attestation policies within an organisation:

resource "cofide_connect_role_binding" "ops_org_owner" {
  role_id = "Organization-owner"

  resource {
    type = "Organization"
    id   = var.org_id
  }

  group {
    claim_value = "ops-team"
  }
}

Delegating trust zone management

Give a sub-team ownership of a specific trust zone without granting access to the wider organisation:

resource "cofide_connect_role_binding" "network_tz_owner" {
  role_id = "TrustZone-owner"

  resource {
    type = "TrustZone"
    id   = cofide_connect_trust_zone.network.id
  }

  group {
    claim_value = "network-team"
  }
}

Because permissions flow down the hierarchy, this also grants network-team cluster management rights for every cluster in the network trust zone.

Delegating access control management

It may be desirable to delegate access control management for some part of the hierarchy to a sub-team. Following on from the previous example, we could allow network-team to manage role bindings for their trust zone.

resource "cofide_connect_role_binding" "security_rb_owner" {
  role_id = "RoleBinding-owner"

  resource {
    type = "TrustZone"
    id   = cofide_connect_trust_zone.network.id
  }

  group {
    claim_value = "network-team"
  }
}

This could be used by network-team to create Cluster-viewer role bindings for the whole trust zone or specific clusters within it, providing visibility into the active identities and workloads.