Principal Types
Overview
A “principal” is somewhat of an overloaded term representing an “identity”.
The Control Plane Platform supports 4 principal types.
Each principal type is scoped to an org and can be granted permissions to certain resources or whole resource types through policies.
A user represents a distinct human being. This principal type is associated with an email. A user is a member of one or more orgs. An authorized principal can invite users (by providing their email address) to an org.
A service account is a non-human, often an application that is utilized to consume the API.
A group is a named collection of users and service account. When inviting users to an org, a group can optionally be specified.
An identity is short for workload identity. It is a reusable (can be leveraged by multiple workloads) named principal that is only used by workloads. An identity encapsulates a set of Cloud Access rules. Cloud Access rules define least privilege policies governing access to resources in the org's configured cloud accounts. In addition to Cloud Access rules, an identity also defines a set of Network Resources.
Examples
To allow a user or group access to perform actions within the console, an administrator would create a policy that bounds the user or group to the resource and the necessary permissions.
To allow a workload the ability to access secured resources within Control Plane (e.g., a secret used as an environment variable), an identity is created that is a member of a policy with the required binding.