This guide covers both basic and advanced techniques for managing role bindings. Recommend to reviewing the Predefined Role for a complete list of available roles and for examples of how to binding them. You can manage role bindings by using snctl or StreamNative Terraform Provider. Support for the Cloud Console will be available soon.

Role Bindings

Role bindings are used to bind roles to principals. They are defined as RoleBinding resources in the Cloud API. The schema is as follows:
apiVersion: cloud.streamnative.io/v1alpha1
kind: RoleBinding
metadata:
  name: <name>
  namespace: <namespace>
spec:
  resourceNameRestriction:
    common:
      instance: <instanceName>
      cluster: <clusterID>
      tenant: <tenantName>
      namespace: <namespaceName>
  roleRef:
    apiGroup: cloud.streamnative.io
    kind: ClusterRole
    name: <roleName>
  subjects:
    - apiGroup: cloud.streamnative.io
      kind: <subject type> # User, ServiceAccount, Identity Pool
      name: <subject name>
  • roleRef: Reference to the Predefined Role.
  • subjects: List of subjects (also known as principals) to be bound to the role. It can be a [User Account]](/cloud/security/authentication/user-accounts), a ServiceAccount, or an IdentityPool.
  • resourceNameRestriction: Optional field to restrict the role binding to specific resources. It can be used to limit the scope of the role binding to a specific resource. Refer to the Conditional Role Bindings section for more details.

Create Role Bindings

You can create a role binding by using the following methods:
You can create a role binding by running the following command to bind a predefined role <predefined-role-name> to a service account <service-account-name>.
snctl create rolebinding <role-binding-name> \
  --clusterrole <predefined-role-name> \
  --serviceaccount <service-account-name>
Alternatively, you can prepare the manifest file rolebinding.yaml to bind a predefined role to a service account.
apiVersion: cloud.streamnative.io/v1alpha1
kind: RoleBinding
metadata:
  name: <name>
  namespace: <namespace>
spec:
  roleRef:
    apiGroup: cloud.streamnative.io
    kind: ClusterRole
    name: <predefined-role-name>
  subjects:
    - apiGroup: cloud.streamnative.io
      kind: ServiceAccount
      name: <service-account-name>
Then apply it using snctl apply.
snctl apply -f rolebinding.yaml
After creating the role binding, you can verify it by running the following command:
snctl get rolebinding <name>
You should be able to see the role binding is in the Ready state.

Update Role Bindings

You can update a role binding by using the following methods:
You can use snctl edit to update a role binding directly.
snctl edit rolebinding <name>
Alternatively, you can update the file rolebinding.yaml and apply it using snctl apply.
snctl apply -f rolebinding.yaml

Delete Role Bindings

You can delete a role binding by using the following methods:
Delete a role binding:
snctl delete rolebinding <name>

Query Role Bindings

You can efficiently query for RoleBinding resources by using a label selector with the -l flag.

Search Role Bindings By Role Name

To find all Role Bindings associated with a specific role, use the rolebinding.role label. -${role_name} refers to a predefined role.
snctl get rolebinding -l rolebinding.role=tenant-admin

Search Role Bindings By Account Name

To find all Role Bindings assigned to a specific user or service account, use the rolebinding.subject label. The value for the rolebinding.subject label must be a sanitized version of the account name. You must replace the @ symbol with an underscore _.
snctl get rolebinding -l rolebinding.subject=user_example.com

Conditional Role Bindings

While basic role bindings associate a role with an account across the entire organization, conditional role bindings provide more granular control by scoping permissions to specific resources. For example, you may want to restrict a topic-producer role to only work within a specific namespace, or on topics with names that start with a certain prefix. StreamNative Cloud allows you to express these conditions by specifying resource attributes. The following example shows how to bind the topic-producer role to a service account named service-account-1 with conditions that limit its access to:
  • Instance: ins-a
  • Cluster: cluster-a
  • Tenant: tenant-a
  • Namespace: ns-a
snctl create rolebinding <role-binding-name> \
   --clusterrole topic-producer \
   --serviceaccount service-account-1 \
   --resource-common-instance ins-a \
   --resource-common-cluster cluster-a \
   --resource-common-tenant tenant-a \
   --resource-common-namespace ns-a
With these conditions, service-account-1 can only produce messages to topics within the specified namespace (tenant-a/ns-a) on that particular instance and cluster.

Available Resource Attributes

You can set conditions on the following resource attributes when creating a role binding.
Streamnative CLI FlagTerraform AttributeDescription
--resource-common-organizationorganizationThe organization name
--resource-common-instanceinstanceThe StreamNative Cloud instance
--resource-common-clusterclusterThe Pulsar cluster
--resource-common-tenanttenantThe tenant
--resource-common-namespacenamespaceThe namespace
--resource-common-topictopicThe topic name
--resource-pulsar-topic-domainpulsar_topic_domainThe topic domain (persistent or non-persistent)
--resource-pulsar-subscription-namepulsar_subscription_nameThe subscription name
--resource-kafka-consumerGroup-namekafka_consumer_group_nameThe Kafka consumer group name
--resource-kafka-transaction-idkafka_transaction_idThe Kafka transaction ID
--resource-schema-subjectschema_subjectThe schema subject
--resource-cloud-serviceAccount-namecloud_service_account_nameThe service account name
--resource-cloud-apikey-namecloud_apikey_nameThe API key name
--resource-cloud-secret-namecloud_secret_nameThe secret name

Advanced Conditions with Functions

For more sophisticated access control, you can use functions within the resource condition values to match patterns. This is useful for granting permissions to a group of resources, such as all topics with a specific prefix. The following functions are supported:
  • startsWith('prefix'): Matches resources that start with the given prefix.
  • endsWith('suffix'): Matches resources that end with the given suffix.
  • matches('regex'): Matches resources using a regular expression. The syntax follows Google’s RE2 syntax.