Roles in Boundary manage the permissions given to principals (Users/Groups). Roles can be defined at the global, org, or project scopes.
In this example, we're going to show you how to create a role in Boundary, assign that roles grants, and assign principals to the role.
Note that all resource IDs in this example are illustration only - IDs are uniquely generated for every resource upon creation with the exception being
generated resources in dev mode. Please make sure to use the resource IDs that are generated when running this example. For example, if you run
boundary roles create, use the resource ID of the role seen in stdout, not the ID in the example command.
Roles can live in the global, org, or project scopes. In this example we will create a role in the generated org scope in dev mode.
$ boundary roles create -scope-id o_1234567890 -name my_role -description "My first role"
Role information:
Created Time: Fri, 09 Oct 202014:19:22 PDT
Description: My first role
Grant Scope ID: o_1234567890
ID: r_kHY8tQteXr
Name: my_role
Updated Time: Fri, 09 Oct 202014:19:22 PDT
Version: 1
Scope:
ID: o_1234567890
Name: Generated org scope
Parent Scope ID: global
Type: org
$ boundary roles create -scope-id o_1234567890 -name my_role -description "My first role"Role information:
Created Time: Fri, 09 Oct 202014:19:22 PDT
Description: My first role
Grant Scope ID: o_1234567890
ID: r_kHY8tQteXr
Name: my_role
Updated Time: Fri, 09 Oct 202014:19:22 PDT
Version: 1 Scope:
ID: o_1234567890
Name: Generated org scope
Parent Scope ID: global
Type: org
Grants describe the actions that the principals should be allowed to perform. For more information on how to format grants see Permission Grant Formats.
In this example we give a role read and list permissions to all resources.
boundary roles add-grants -id $role_id -grant 'id=*;type=*;actions=no-op,list'
Role information:
Created Time: Fri, 09 Oct 202014:45:47 PDT
Description: My first role
Grant Scope ID: o_1234567890
ID: r_CqEl81Io1C
Name: test
Updated Time: Fri, 09 Oct 202017:15:47 PDT
Version: 3
Scope:
ID: o_1234567890
Name: Generated org scope
Parent Scope ID: global
Type: org
Principals:
ID: u_gAv6YgVtVs
Type: user
Scope ID: o_1234567890
Canonical Grants:
id=*;type=*;actions=list,no-op
boundary roles add-grants -id $role_id -grant 'id=*;type=*;actions=no-op,list'Role information:
Created Time: Fri, 09 Oct 202014:45:47 PDT
Description: My first role
Grant Scope ID: o_1234567890
ID: r_CqEl81Io1C
Name: test Updated Time: Fri, 09 Oct 202017:15:47 PDT
Version: 3 Scope:
ID: o_1234567890
Name: Generated org scope
Parent Scope ID: global
Type: org
Principals:
ID: u_gAv6YgVtVs
Type: user
Scope ID: o_1234567890
Canonical Grants:
id=*;type=*;actions=list,no-op