RoleBinding
resources in the Cloud API. The schema is as follows:
roleRef
: Reference to the Predefined Role.subjects
: List of subjects (also known as principals) to be bound to the role. It can be a [User Account]](/cloud/security/authentication/user-accounts), a ServiceAccount, or an IdentityPool.resourceNameRestriction
: Optional field to restrict the role binding to specific resources. It can be used to limit the scope of the role binding to a specific resource. Refer to the Conditional Role Bindings section for more details.<predefined-role-name>
to a service account <service-account-name>
.rolebinding.yaml
to bind a predefined role to a service account.snctl apply
.Ready
state.snctl edit
to update a role binding directly.rolebinding.yaml
and apply it using snctl apply
.rolebinding.role
label.
-${role_name}
refers to a predefined role.
rolebinding.subject
label.
The value for the rolebinding.subject
label must be a sanitized version of the account name. You must replace the @ symbol with an underscore _.
topic-producer
role to only work within a specific namespace, or on topics with names that start with a certain prefix. StreamNative Cloud allows you to express these conditions by specifying resource attributes.
The following example shows how to bind the topic-producer
role to a service account named service-account-1
with conditions that limit its access to:
ins-a
cluster-a
tenant-a
ns-a
service-account-1
can only produce messages to topics within the specified namespace (tenant-a/ns-a
) on that particular instance and cluster.
Streamnative CLI Flag | Terraform Attribute | Description |
---|---|---|
--resource-common-organization | organization | The organization name |
--resource-common-instance | instance | The StreamNative Cloud instance |
--resource-common-cluster | cluster | The Pulsar cluster |
--resource-common-tenant | tenant | The tenant |
--resource-common-namespace | namespace | The namespace |
--resource-common-topic | topic | The topic name |
--resource-pulsar-topic-domain | pulsar_topic_domain | The topic domain (persistent or non-persistent ) |
--resource-pulsar-subscription-name | pulsar_subscription_name | The subscription name |
--resource-kafka-consumerGroup-name | kafka_consumer_group_name | The Kafka consumer group name |
--resource-kafka-transaction-id | kafka_transaction_id | The Kafka transaction ID |
--resource-schema-subject | schema_subject | The schema subject |
--resource-cloud-serviceAccount-name | cloud_service_account_name | The service account name |
--resource-cloud-apikey-name | cloud_apikey_name | The API key name |
--resource-cloud-secret-name | cloud_secret_name | The secret name |
startsWith('prefix')
: Matches resources that start with the given prefix.endsWith('suffix')
: Matches resources that end with the given suffix.matches('regex')
: Matches resources using a regular expression. The syntax follows Google’s RE2 syntax.