RBAC
Manage Role Bindings on StreamNative Cloud
This guide covers both basic and advanced techniques for managing role bindings. Recommend to reviewing the Predefined Role for a complete list of available roles and for examples of how to binding them.
You can manage role bindings by using snctl or StreamNative Terraform Provider. Support for the Cloud Console will be available soon.
With these conditions,
Role Bindings
Role bindings are used to bind roles to principals. They are defined asRoleBinding resources in the Cloud API. The schema is as follows:
roleRef: Reference to the Predefined Role.subjects: List of subjects (also known as principals) to be bound to the role. It can be a [User Account]](/cloud/security/authentication/user-accounts), a ServiceAccount, or an IdentityPool.resourceNameRestriction: Optional field to restrict the role binding to specific resources. It can be used to limit the scope of the role binding to a specific resource. Refer to the Conditional Role Bindings section for more details.
Create Role Bindings
You can create a role binding by using the following methods:You can create a role binding by running the following command to bind a predefined role Alternatively, you can prepare the manifest file Then apply it using After creating the role binding, you can verify it by running the following command:You should be able to see the role binding is in the
<predefined-role-name> to a service account <service-account-name>.rolebinding.yaml to bind a predefined role to a service account.snctl apply.Ready state.Update Role Bindings
You can update a role binding by using the following methods:You can use Alternatively, you can update the file
snctl edit to update a role binding directly.rolebinding.yaml and apply it using snctl apply.Delete Role Bindings
You can delete a role binding by using the following methods:Delete a role binding:
Query Role Bindings
You can efficiently query for RoleBinding resources by using a label selector with the -l flag.Search Role Bindings By Role Name
To find all Role Bindings associated with a specific role, use therolebinding.role label.
-${role_name} refers to a predefined role.
Search Role Bindings By Account Name
To find all Role Bindings assigned to a specific user or service account, use therolebinding.subject label.
The value for the rolebinding.subject label must be a sanitized version of the account name. You must replace the @ symbol with an underscore _.
Conditional Role Bindings
While basic role bindings associate a role with an account across the entire organization, conditional role bindings provide more granular control by scoping permissions to specific resources. For example, you may want to restrict atopic-producer role to only work within a specific namespace, or on topics with names that start with a certain prefix. StreamNative Cloud allows you to express these conditions by specifying resource attributes.
The following example shows how to bind the topic-producer role to a service account named service-account-1 with conditions that limit its access to:
- Instance:
ins-a - Cluster:
cluster-a - Tenant:
tenant-a - Namespace:
ns-a
service-account-1 can only produce messages to topics within the specified namespace (tenant-a/ns-a) on that particular instance and cluster.
Available Resource Attributes
You can set conditions on the following resource attributes when creating a role binding.| Streamnative CLI Flag | Terraform Attribute | Description |
|---|---|---|
--resource-common-organization | organization | The organization name |
--resource-common-instance | instance | The StreamNative Cloud instance |
--resource-common-cluster | cluster | The Pulsar cluster |
--resource-common-tenant | tenant | The tenant |
--resource-common-namespace | namespace | The namespace |
--resource-common-topic | topic | The topic name |
--resource-pulsar-topic-domain | pulsar_topic_domain | The topic domain (persistent or non-persistent) |
--resource-pulsar-subscription-name | pulsar_subscription_name | The subscription name |
--resource-kafka-consumerGroup-name | kafka_consumer_group_name | The Kafka consumer group name |
--resource-kafka-transaction-id | kafka_transaction_id | The Kafka transaction ID |
--resource-schema-subject | schema_subject | The schema subject |
--resource-cloud-serviceAccount-name | cloud_service_account_name | The service account name |
--resource-cloud-apikey-name | cloud_apikey_name | The API key name |
--resource-cloud-secret-name | cloud_secret_name | The secret name |
Advanced Conditions with Functions
For more sophisticated access control, you can use functions within the resource condition values to match patterns. This is useful for granting permissions to a group of resources, such as all topics with a specific prefix. The following functions are supported:startsWith('prefix'): Matches resources that start with the given prefix.endsWith('suffix'): Matches resources that end with the given suffix.matches('regex'): Matches resources using a regular expression. The syntax follows Google’s RE2 syntax.