Role Bindings
Role bindings are used to bind roles to principals. They are defined asRoleBinding
resources in the Cloud API. The schema is as follows:
roleRef
: Reference to the Predefined Role.subjects
: List of subjects (also known as principals) to be bound to the role. It can be a [User Account]](/cloud/security/authentication/user-accounts), a ServiceAccount, or an IdentityPool.resourceNameRestriction
: Optional field to restrict the role binding to specific resources. It can be used to limit the scope of the role binding to a specific resource. Refer to the Conditional Role Bindings section for more details.
Create Role Bindings
You can create a role binding by using the following methods:You can create a role binding by running the following command to bind a predefined role Alternatively, you can prepare the manifest file Then apply it using After creating the role binding, you can verify it by running the following command:You should be able to see the role binding is in the
<predefined-role-name>
to a service account <service-account-name>
.rolebinding.yaml
to bind a predefined role to a service account.snctl apply
.Ready
state.Update Role Bindings
You can update a role binding by using the following methods:You can use Alternatively, you can update the file
snctl edit
to update a role binding directly.rolebinding.yaml
and apply it using snctl apply
.Delete Role Bindings
You can delete a role binding by using the following methods:Delete a role binding:
Query Role Bindings
You can efficiently query for RoleBinding resources by using a label selector with the -l flag.Search Role Bindings By Role Name
To find all Role Bindings associated with a specific role, use therolebinding.role
label.
-${role_name}
refers to a predefined role.
Search Role Bindings By Account Name
To find all Role Bindings assigned to a specific user or service account, use therolebinding.subject
label.
The value for the rolebinding.subject
label must be a sanitized version of the account name. You must replace the @ symbol with an underscore _.
Conditional Role Bindings
While basic role bindings associate a role with an account across the entire organization, conditional role bindings provide more granular control by scoping permissions to specific resources. For example, you may want to restrict atopic-producer
role to only work within a specific namespace, or on topics with names that start with a certain prefix. StreamNative Cloud allows you to express these conditions by specifying resource attributes.
The following example shows how to bind the topic-producer
role to a service account named service-account-1
with conditions that limit its access to:
- Instance:
ins-a
- Cluster:
cluster-a
- Tenant:
tenant-a
- Namespace:
ns-a
service-account-1
can only produce messages to topics within the specified namespace (tenant-a/ns-a
) on that particular instance and cluster.
Available Resource Attributes
You can set conditions on the following resource attributes when creating a role binding.Streamnative CLI Flag | Terraform Attribute | Description |
---|---|---|
--resource-common-organization | organization | The organization name |
--resource-common-instance | instance | The StreamNative Cloud instance |
--resource-common-cluster | cluster | The Pulsar cluster |
--resource-common-tenant | tenant | The tenant |
--resource-common-namespace | namespace | The namespace |
--resource-common-topic | topic | The topic name |
--resource-pulsar-topic-domain | pulsar_topic_domain | The topic domain (persistent or non-persistent ) |
--resource-pulsar-subscription-name | pulsar_subscription_name | The subscription name |
--resource-kafka-consumerGroup-name | kafka_consumer_group_name | The Kafka consumer group name |
--resource-kafka-transaction-id | kafka_transaction_id | The Kafka transaction ID |
--resource-schema-subject | schema_subject | The schema subject |
--resource-cloud-serviceAccount-name | cloud_service_account_name | The service account name |
--resource-cloud-apikey-name | cloud_apikey_name | The API key name |
--resource-cloud-secret-name | cloud_secret_name | The secret name |
Advanced Conditions with Functions
For more sophisticated access control, you can use functions within the resource condition values to match patterns. This is useful for granting permissions to a group of resources, such as all topics with a specific prefix. The following functions are supported:startsWith('prefix')
: Matches resources that start with the given prefix.endsWith('suffix')
: Matches resources that end with the given suffix.matches('regex')
: Matches resources using a regular expression. The syntax follows Google’s RE2 syntax.