RoleBinding
resources in the Cloud API. The schema is as follows:
roleRef
: Reference to the Predefined Role.subjects
: List of subjects (also known as principals) to be bound to the role. It can be a [User Account]](/cloud/security/authentication/user-accounts), a ServiceAccount, or an IdentityPool.<predefined-role-name>
to a service account <service-account-name>
.rolebinding.yaml
to bind a predefined role to a service account.snctl apply
.Ready
state.snctl edit
to update a role binding directly.rolebinding.yaml
and apply it using snctl apply
.rolebinding.role
label.
-${role_name}
refers to a predefined role.
rolebinding.subject
label.
The value for the rolebinding.subject
label must be a sanitized version of the account name. You must replace the @ symbol with an underscore _.
topic-producer
role to a service account named service-account-1
with conditions that limit its access to:
ins-a
cluster-a
tenant-a
ns-a
service-account-1
can only produce messages to topics within the specified namespace (tenant-a/ns-a
) on that particular instance and cluster.
snctl
and streamnative
provider for Terraform when creating RoleBindings.srn
variable in CEL expressions and contains the following fields:
instance
: The StreamNative Cloud instancecluster
: The Pulsar clustertenant
: The tenantnamespace
: The namespacetopic_domain
: The topic domain (persistent or non-persistent)topic_name
: The name of the topicsubscription
: The subscription nameservie_account
: The service account name (used for “service-account-admin” role)secret
: The secret name (used for “secret” role)tenant-admin
for multi resources:
tenant-a
and tenant-b
cluster-a
and cluster-b
ins-1
and ins-2