Quick Starts

Concepts

Guides

External Logging

Kubernetes (Managed)

Bring your Own Kubernetes (BYOK)

Terraform Provider

Reference

cpln apply

Overview

The cpln apply command is used to automate the management of Control Plane resources using JSON or YAML metadata as input.

This automation can be used for:

GitOps
Scripting
Testing

TIP

Using cpln apply is a good way to leverage the CLI in an idempotent manner.

The usage, limitations, and example templates are described below.

Using the CLI

Using the CLI, the apply command is called by executing:

copy
cpln apply --file FILE_NAME [OPTIONS]

The FILE_NAME is the path for the file and it can be either a JSON or YAML file containing the resource metadata.

To apply an Identity, a Volume Set or a Workload resource you need to specify a GVC in one of the following methods.

Specify a gvc within your cpln profile. This will add the gvc to the session context of the profile and will be refered to as the default gvc when executing any future command including the cpln apply command.
```
copy
cpln profile update PROFILE_NAME --gvc GVC_NAME
```
Specify a --gvc flag to the apply command. This will pass the gvc as an option and will override the default gvc that is defined in the session context of the profile.
```
copy
cpln apply --file FILE_NAME --gvc GVC_NAME
```

Specify a gvc property in the resource definition in the file you wish to apply.

copy
kind: identity
name: example-identity
description: example-description
tags: {}
gvc: example-gvc

NOTE

You can either specify a gvc property or a --gvc flag, you can't specify both.

Click here to view the CLI reference page for the apply command.

Apply a K8s File

The CLI has the ability to convert K8s resources into Control Plane resources. By passing the --k8s true option to the apply command, the K8s resources will be converted and applied.

copy
cpln apply --file FILE_NAME --k8s true

The apply command will use the logic of the CLI convert command and then apply the output.

Apply Standard Input

In case you would like to pass Control Plane resources through stdin (Standard Input), use the following command.

copy
CONTROL_PLANE_RESOURCES | cpln apply --file -

TIP

This is useful if you would like to pass the stdout of a command to the cpln apply command.

Using the Console

The console has the ability to upload a JSON or YAML file or accept a resource definition in JSON or YAML as input. The functionality is the same as using the CLI. To start applying, click the cpln apply button in the upper right corner of the console. A modal will be displayed containing the upload instructions.

The cpln apply modal provides the ability to specify in which org and gvc a resource will be executed. The default is your currently selected org and gvc.

A file or an input containing an Identity, a Volume Set or a Workload resource will be executed in the scope of the specified gvc in the cpln apply modal. In case a gvc is defined within a resource, the resource will be executed in the scope of that gvc.

Multiple Resources

The apply command can accept a YAML file containing multiple resources. Each resource must be separated using ---.

If a resource has a reference to another resource (e.g., a workload refers to a GVC), the referenced resource must be defined in the same file ONLY in case it does not already exist at Control Plane.

Renaming of Resources

If the name of an exisiting resource is changed, the cpln apply command will create a new resource.

NOTE: Any orphaned resources will need to be manually deleted.

Limitations

To create an agent, use the console or the CLI agent command to obtain the bootstrap config data. Using the cpln apply command from the CLI or console does not output the config data.
Before creating a cloud account, additional configuration is required at the target cloud provider. Refer to the Create Cloud Account guide for instructions.
Before creating a domain, the required DNS entries must exist. Refer to the Configure a Domain guide for instructions.

Generate Sample Input

Samples of existing resources can be generated using the console or the CLI. These samples can assist when defining resources for your application.

Using the console:

After selecting a resource, there will be an Actions pull down button in the upper right corner. Inside it you will find the View and Export options.
The View will allow you to see the resource definition as JSON, YAML and Terraform.
For the Export option select JSON Slim or YAML Slim to download the file.

Using the CLI:

Using the get command for each resource, the -o flag can output the resource as JSON or YAML.
For example: The command cpln gvc get GVC_NAME -o yaml-slim --org ORG_NAME will output the GVC_NAME as YAML.

TIP

The json-slim and yaml-slim format options will output only the necessary values needed for a subsequent call to the cpln apply command.

Use in GitOps

The apply command can be used to manage Control Plane resources as part of a CI/CD pipeline.

Refer to the GitOps CLI documentation for additional information.

Example Templates

The examples below can be used as templates when creating your own metadata files.

These files can be download here.

GVC

GVC Reference Page

GVC - JSON

copy
{
  "kind": "gvc",
  "name": "example-gvc",
  "description": "example-gvc description",
  "tags": {
    "tag1": "value1"
  },
  "spec": {
    "pullSecretLinks": ["/org/ORG_NAME/secret/SECRET_NAME"],
    "staticPlacement": {
      "locationLinks": [
        "/org/ORG_NAME/location/aws-eu-central-1",
        "/org/ORG_NAME/location/aws-us-west-2",
        "/org/ORG_NAME/location/azure-eastus2",
        "/org/ORG_NAME/location/gcp-us-east1"
      ]
    }
  }
}

GVC - YAML

copy
kind: gvc
name: example-gvc
description: example-gvc description
tags:
  tag1: value1
spec:
  pullSecretLinks:
    - /org/ORG_NAME/secret/SECRET_NAME
  staticPlacement:
    locationLinks:
      - /org/ORG_NAME/location/aws-eu-central-1
      - /org/ORG_NAME/location/aws-us-west-2
      - /org/ORG_NAME/location/azure-eastus2
      - /org/ORG_NAME/location/gcp-us-east1

Cloud Accounts

Cloud Accounts Reference Page

Cloud Account - AWS - JSON

copy
{
  "kind": "cloudaccount",
  "name": "example-aws-cloud-account",
  "description": "example-aws-cloud-account description",
  "tags": {},
  "provider": "aws",
  "data": {
    "roleArn": "ROLE_ARN"
  }
}

Cloud Account - AWS - YAML

copy
kind: cloudaccount
name: example-aws-cloud-account
description: example-aws-cloud-account description
tags: {}
provider: aws
data:
  roleArn: "ROLE_ARN"

Cloud Account - Azure - JSON

copy
{
  "kind": "cloudaccount",
  "name": "example-azure-cloud-account",
  "description": "example-azure-cloud-account description",
  "tags": {},
  "provider": "azure",
  "data": {
    "secretLink": "/org/ORG_NAME/secret/AZURE_SECRET"
  }
}

Cloud Account - Azure - YAML

copy
kind: cloudaccount
name: example-azure-cloud-account
description: example-azure-cloud-account description
tags: {}
provider: azure
data:
  secretLink: /org/ORG_NAME/secret/AZURE_SECRET

Cloud Account - GCP - JSON

copy
{
  "kind": "cloudaccount",
  "name": "example-gcp-cloud-account",
  "description": "example-gcp-cloud-account description",
  "tags": {},
  "provider": "gcp",
  "data": {
    "projectId": "PROJECT_ID"
  }
}

Cloud Account - GCP - YAML

copy
kind: cloudaccount
name: example-gcp-cloud-account
description: example-gcp-cloud-account description
tags: {}
provider: gcp
data:
  projectId: PROJECT_ID

Cloud Account - NGS - JSON

copy
{
  "kind": "cloudaccount",
  "name": "example-ngs-cloud-account",
  "description": "example-ngs-cloud-account description",
  "provider": "ngs",
  "data": {
    "secretLink": "/org/ORG_NAME/secret/NATS_SECRET"
  },
}

Cloud Account - NGS - YAML

copy
kind: cloudaccount
name: example-ngs-cloud-account
description: example-ngs-cloud-account description
tags: {}
provider: ngs
data:
  secretLink: /org/ORG_NAME/secret/NATS_SECRET

Domains

Domain Reference Page

Domain - JSON

copy
{
  "kind": "domain",
  "name": "sub.example.com",
  "description": "domain description",
  "tags": {}
}

Domain - YAML

copy
kind: domain
name: sub.example.com
description: domain description
tags: {}

Secrets

Secrets Reference Page

Secret - AWS - JSON

copy
{
  "kind": "secret",
  "name": "example-aws-secret",
  "description": "example-aws-secret description",
  "tags": {},
  "type": "aws",
  "data": {
    "accessKey": "AKIAIOSFODNN7EXAMPLE",
    "roleArn": "arn:awskey",
    "secretKey": "AKIAwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "externalId": "EXTERNAL_ID"
  }
}

Secret - AWS - YAML

copy
kind: secret
name: example-aws-secret
description: example-aws-secret description
tags: {}
type: aws
data:
  accessKey: AKIAIOSFODNN7EXAMPLE
  roleArn: "arn:awskey"
  secretKey: AKIAwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  externalId: EXTERNAL_ID

Secret - Azure Connector - JSON

copy
{
  "kind": "secret",
  "name": "example-azure-connector-secret",
  "description": "example-azure-connector-secret description",
  "tags": {},
  "type": "azure-connector",
  "data": {
    "code": "CODE",
    "url": "URL"
  }
}

Secret - Azure Connector - YAML

copy
kind: secret
name: example-azure-connector-secret
description: example-azure-connector-secret description
tags: {}
type: azure-connector
data:
  code: CODE
  url: "URL"

Secret - Azure-SDK - JSON

copy
{
  "kind": "secret",
  "name": "example-azure-sdk-secret",
  "description": "example-azure-sdk-secret",
  "tags": {},
  "type": "azure-sdk",
  "data": "{\"subscriptionId\":\"2cd8674e-4f89-4a1f-b420-7a1361b46ef7\",\"tenantId\":\"292f5674-c8b0-488b-9ff8-6d30d77f38d9\",\"clientId\":\"649846ce-d862-49d5-a5eb-7d5aad90f54e\",\"clientSecret\":\"cpln\"}"
}

Secret - Azure-SDK - YAML

copy
kind: secret
name: example-azure-sdk-secret
description: example-azure-sdk-secret
tags: {}
type: azure-sdk
data: >-
  {"subscriptionId":"2cd8674e-4f89-4a1f-b420-7a1361b46ef7","tenantId":"292f5674-c8b0-488b-9ff8-6d30d77f38d9","clientId":"649846ce-d862-49d5-a5eb-7d5aad90f54e","clientSecret":"cpln"}

Secret - Dictionary - JSON

copy
{
  "kind": "secret",
  "name": "example-dictionary-secret",
  "description": "example-dictionary-secret description",
  "tags": {},
  "type": "dictionary",
  "data": {
    "key01": "value01",
    "key02": "value02"
  }
}

Secret - Dictionary - YAML

copy
kind: secret
name: example-dictionary-secret
description: example-dictionary-secret description
tags: {}
type: dictionary
data:
  key01: value01
  key02: value02

Secret - Docker - JSON

copy
{
  "kind": "secret",
  "name": "example-docker-secret",
  "description": "example-docker-secret description",
  "tags": {},
  "type": "docker",
  "data": "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"USERNAME\",\"password\":\"PASSWORD\"}}}"
}

Secret - Docker - YAML

copy
kind: secret
name: example-docker-secret
description: example-docker-secret description
tags: {}
type: docker
data: >-
  {"auths":{"https://index.docker.io/v1/":{"username":"USERNAME","password":"PASSWORD"}}}

Secret - ECR - JSON

copy
{
  "kind": "secret",
  "name": "example-ecr-secret",
  "description": "example-ecr-secret description",
  "tags": {},
  "type": "ecr",
  "data": {
    "accessKey": "AKIA_ACCESS_KEY",
    "repos": ["015716931711.dkr.ecr.us-west-2.amazonaws.com/repo"],
    "secretKey": "SECRET_KEY",
    "externalId": "EXTERNAL_ID"
  }
}

Secret - ECR - YAML

copy
kind: secret
name: example-ecr-secret
description: example-ecr-secret description
tags: {}
data:
  accessKey: AKIA_ACCESS_KEY
  repos:
    - 015716931711.dkr.ecr.us-west-2.amazonaws.com/repo
  secretKey: SECRET_KEY
  externalId: EXTERNAL_ID

Secret - GCP - JSON

copy
{
  "kind": "secret",
  "name": "example-gcp-secret",
  "description": "example-gcp-secret description",
  "tags": {},
  "type": "gcp",
  "data": "{\"type\":\"gcp\",\"project_id\":\"cpln12345\",\"private_key_id\":\"pvt_key\",\"private_key\":\"key\",\"client_email\":\"support@cpln.io\",\"client_id\":\"12744\",\"auth_uri\":\"cloud.google.com\",\"token_uri\":\"token.cloud.google.com\",\"auth_provider_x509_cert_url\":\"cert.google.com\",\"client_x509_cert_url\":\"cert.google.com\"}"
}

Secret - GCP - YAML

copy
kind: secret
name: example-gcp-secret
description: example-gcp-secret description
tags: {}
type: gcp
data: >-
  {"type":"gcp","project_id":"cpln12345","private_key_id":"pvt_key","private_key":"key","client_email":"support@cpln.io","client_id":"12744","auth_uri":"cloud.google.com","token_uri":"token.cloud.google.com","auth_provider_x509_cert_url":"cert.google.com","client_x509_cert_url":"cert.google.com"}

Secret - KeyPair - JSON

NOTE: The example below uses a self-signed certificate. Do not use for production.

copy
{
  "kind": "secret",
  "name": "example-keypair-secret",
  "description": "example-keypair-secret description",
  "tags": {},
  "type": "keypair",
  "data": {
    "passphrase": "cpln",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHiv\nbaAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCO\nBhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22m\nXMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0Zr\nryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3\nNxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3\nXwIDAQAB\n-----END PUBLIC KEY-----\n",
    "secretKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,9A26BB15304B18E7\n\nZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6L\ndIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBT\ngQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP\n616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguH\nte2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2\nIRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbw\nuXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+\n1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3\nqopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1\nsLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQ\nyvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY\n6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR\n0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZ\nYZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8\naZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswm\niW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBT\nC/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0W\nD7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOj\nVe0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWr\nWjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN\n6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvht\nxx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtW\nRyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3\nhWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA\n85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv\n-----END RSA PRIVATE KEY-----"
  }
}

Secret - KeyPair - YAML

NOTE: The example below uses a self-signed certificate. Do not use for production.

copy
kind: secret
name: example-keypair-secret
description: example-keypair-secret secret
tags: {}
type: keypair
data:
  passphrase: cpln
  publicKey: |
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHiv
    baAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCO
    BhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22m
    XMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0Zr
    ryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3
    NxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3
    XwIDAQAB
    -----END PUBLIC KEY-----
  secretKey: |-
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,9A26BB15304B18E7
    ZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6L
    dIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBT
    gQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP
    616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguH
    te2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2
    IRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbw
    uXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+
    1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3
    qopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1
    sLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQ
    yvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY
    6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR
    0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZ
    YZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8
    aZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswm
    iW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBT
    C/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0W
    D7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOj
    Ve0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWr
    Wjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN
    6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvht
    xx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtW
    RyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3
    hWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA
    85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv
    -----END RSA PRIVATE KEY-----

Secret - Opaque - JSON

copy
{
  "kind": "secret",
  "name": "example-opaque-secret",
  "description": "example-opaque-secret",
  "tags": {},
  "type": "opaque",
  "data": {
    "encoding": "plain",
    "payload": "sample payload"
  }
}

Secret - Opaque - YAML

copy
kind: secret
name: example-opaque-secret
description: example-opaque-secret description
tags: {}
type: opaque
data:
  encoding: plain
  payload: sample payload

Secret - TLS - JSON

copy
{
  "kind": "secret",
  "name": "example-tls-secret",
  "description": "example-tls-secret description",
  "tags": {},
  "type": "tls",
  "data": {
    "cert": "-----BEGIN CERTIFICATE-----\nMIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL\nBQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH\nDAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx\nEDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p\nbzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL\nBgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv\nMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0\nRsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9\nyPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk\nPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr\naetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY\n/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud\nDgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9\nLy8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr\nsDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4\nChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD\nwAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M\n5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ\nYxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD\nu2ZCis/EwXsqRJPkIPnL\n-----END CERTIFICATE-----\t\t",
    "chain": "-----BEGIN CERTIFICATE-----\nMIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL\nBQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH\nDAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx\nEDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p\nbzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL\nBgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv\nMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0\nRsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9\nyPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk\nPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr\naetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY\n/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud\nDgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9\nLy8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr\nsDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4\nChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD\nwAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M\n5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ\nYxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD\nu2ZCis/EwXsqRJPkIPnL\n-----END CERTIFICATE-----\t\t",
    "key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4\nXG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvN\nrsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWn\npvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88IN\nbBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBi\nL2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/l\njq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/g\nZhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX\n3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYD\nYjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1\nZ8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6Uw\nrFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198am\nspmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBf\nLzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC\n/1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCyt\nvig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPr\nKY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJ\nD/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oD\nLyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsT\nFGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8\nzljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QC\nHnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYon\naH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTt\ngFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl\n/LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RR\nS1hFKnRRcrVqA+HjWnZ//BGi\n-----END PRIVATE KEY-----"
  }
}

Secret - TLS - YAML

copy
kind: secret
name: example-tls-secret
description: example-tls-secret description
tags: {}
type: tls
data:
  cert: |-
    -----BEGIN CERTIFICATE-----
    MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL
    BQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
    DAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx
    EDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p
    bzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV
    UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL
    BgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv
    MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0
    RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9
    yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk
    PsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr
    aetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY
    /BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud
    DgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9
    Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr
    sDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4
    ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD
    wAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M
    5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ
    YxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD
    u2ZCis/EwXsqRJPkIPnL
    -----END CERTIFICATE-----
  chain: |-
    -----BEGIN CERTIFICATE-----
    MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL
    BQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
    DAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx
    EDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p
    bzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV
    UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL
    BgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv
    MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0
    RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9
    yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk
    PsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr
    aetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY
    /BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud
    DgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9
    Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr
    sDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4
    ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD
    wAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M
    5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ
    YxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD
    u2ZCis/EwXsqRJPkIPnL
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4
    XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvN
    rsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWn
    pvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88IN
    bBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBi
    L2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/l
    jq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/g
    Zhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX
    3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYD
    YjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1
    Z8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6Uw
    rFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198am
    spmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBf
    LzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC
    /1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCyt
    vig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPr
    KY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJ
    D/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oD
    LyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsT
    FGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8
    zljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QC
    HnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYon
    aH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTt
    gFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl
    /LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RR
    S1hFKnRRcrVqA+HjWnZ//BGi
    -----END PRIVATE KEY-----

Secret - Username/Password - JSON

copy
{
  "kind": "secret",
  "name": "example-username-secret",
  "description": "example-username-secret description",
  "tags": {},
  "type": "userpass",
  "data": {
    "encoding": "plain",
    "password": "PASSWORD",
    "username": "USERNAME"
  }
}

Secret - Username/Password - YAML

copy
kind: secret
name: sample-username
description: sample-username
tags: {}
type: userpass
data:
  encoding: plain
  password: PASSWORD
  username: USERNAME

Groups

Groups Reference Page

See the Group Query Rules reference page for details on how to create a query.

Group - JSON

copy
{
  "kind": "group",
  "name": "example-group",
  "description": "example-group description",
  "tags": {},
  "memberLinks": [
    "/org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME",
    "/org/ORG_NAME/user/USER_EMAIL",
    "/org/ORG_NAME/user/USER_EMAIL"
  ],
  "memberQuery": {
    "kind": "user",
    "fetch": "items",
    "spec": {
      "match": "all",
      "terms": [
        {
          "op": "=",
          "tag": "test-tag",
          "value": "test-value"
        }
      ]
    }
  }
}

Group - YAML

copy
kind: group
name: example-group
description: example-group description
tags: {}
memberLinks:
  - /org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME
  - /org/ORG_NAME/user/USER_EMAIL
  - /org/ORG_NAME/user/USER_EMAIL
memberQuery:
  kind: user
  fetch: items
  spec:
    match: all
    terms:
      - op: "="
        tag: test
        value: "1234"

Policies

Policies Reference Page

The first example shows a policy for an explict secret ('targetLinks') that contain a binding for all four of the principal types with the 'edit' and 'manage' permissions.

The second example shows a policy that targets all secrets within the org. When the target key is set to all, the targetLinks and targetQuery properties are not evaluated.

Each 'targetKind' has its own unique set of binding permissions. The permissions can be obtained by:

Running the CLI permissions command (e.g., cpln secret permissions), or
The reference page for each target (e.g. Secret Permissions).

Policy - Explict Secret - JSON

copy
{
  "kind": "policy",
  "name": "example-policy-explicit",
  "description": "example-policy description",
  "tags": {},
  "targetKind": "secret",
  "bindings": [
    {
      "permissions": ["edit", "manage"],
      "principalLinks": [
        "/org/ORG_NAME/group/GROUP_NAME",
        "/org/ORG_NAME/gvc/GVC_NAME/identity/IDENTITY_NAME",
        "/org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME",
        "/org/ORG_NAME/user/USER_EMAIL"
      ]
    }
  ],
  "targetLinks": ["/org/ORG_NAME/secret/SECRET_NAME"],
  "targetQuery": {
    "kind": "secret",
    "fetch": "items",
    "spec": {
      "match": "all",
      "terms": [
        {
          "op": "=",
          "tag": "example-tag",
          "value": "example-value"
        }
      ]
    }
  }
}

Policy - Explict Secret - YAML

copy
kind: policy
name: example-policy-explicit
description: example-policy description
tags: {}
origin: default
bindings:
  - permissions:
      - edit
      - manage
    principalLinks:
      - /org/ORG_NAME/group/GROUP_NAME
      - /org/ORG_NAME/gvc/GVC_NAME/identity/IDENTITY_NAME
      - /org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME
      - /org/ORG_NAME/user/USER_EMAIL
targetKind: secret
targetLinks:
  - /org/ORG_NAME/secret/SECRET_NAME
targetQuery:
  kind: secret
  fetch: items
  spec:
    match: all
    terms:
      - op: "="
        tag: example-tag
        value: example-value

Policy - All Secrets - JSON

copy
{
  "kind": "policy",
  "name": "example-policy-all",
  "description": "example-policy-all description",
  "tags": {},
  "targetKind": "secret",
  "target": "all",
  "bindings": [
    {
      "permissions": ["edit", "manage"],
      "principalLinks": [
        "/org/ORG_NAME/group/GROUP_NAME",
        "/org/ORG_NAME/gvc/GVC_NAME/identity/IDENTITY_NAME",
        "/org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME",
        "/org/ORG_NAME/user/USER_EMAIL"
      ]
    }
  ]
}

Policy - All Secrets - YAML

copy
kind: policy
name: example-policy-all
description: example-policy-all description
tags: {}
targetKind: secret
target: all
bindings:
  - permissions:
      - edit
      - manage
    principalLinks:
      - /org/terraform-test-org/group/test
      - /org/terraform-test-org/gvc/toolbox-gvc/identity/tbd
      - /org/terraform-test-org/serviceaccount/tbd
      - /org/terraform-test-org/user/eric@controlplane.com

placeholder

Contents