How to Manage Chainguard IAM Groups

Understanding Identity and Access Management in Chainguard

Chainguard provides a rich Identity and Access Management (IAM) model similar to those used by AWS and GCP. Once authenticated, you can set up a desired group management structure.

Logging in

To authenticate into the Chainguard platform, use the following login command.

chainctl auth login

A web browser window will open to prompt you to log in via your chosen OIDC flow. Select an account with which you wish to register. Once authenticated, you can set up a desired group structure for managing and delegating.

Creating a Group

Begin by creating an organization tied to the account you just used to authenticate to Chainguard.

chainctl iam groups create $NAME --no-parent

After creating the organization, you can create your desired group hierarchy. Keep in mind that access will roll down, meaning that any assets available at the root level will be inherited by its children.

chainctl iam group create $CHILD_NAME --parent $ROOT_ID

We recommend creating a group structure that outlines how your team organizes and delegates permissions. A sample starting point can include dev, staging, and prod.

|- root
    |- dev
    |- staging
    |- prod

Listing Groups

At any time, you can list the group hierarchy your account has access to by using list. To make it more human readable, you can output the information as a table by passing -o table to the end of the command.

chainctl iam groups list

You’ll get output regarding each of the groups you belong to, including a description of each group, if available.

 <Group ID> [tutorial-group] This is a shared IAM group for tutorials.
 <Group ID> [demo-group] This is a shared IAM group for running demos.

You can retrieve your groups’ UIDPs by adding the -o table option to the previous list command.

chainctl iam groups list -o table
      ID     |      NAME      |    DESCRIPTION      
-------------+----------------+-----------------------------------------------
  <Group ID> | tutorial-group | This is a shared IAM group for tutorials.
  <Group ID> | demo-group     | This is a shared IAM group for running demos.  

Some other chainctl functions require you to know a group’s UIDP, making this a useful option to remember.

Inviting Others to a Group

To invite others to a specific group, you can generate invite codes by creating invites to the group.

chainctl iam invite create $GROUP

You will be prompted for the scope that the invite code will be granted. After selecting the role bindings, the invite code will be generated. If you ever lose the invite code, a list of active invite codes can be found by listing them with chainctl:

chainctl iam invite list

This will provide output in the form of a table with group ID, when the invitation to the group will expire, the group key ID, and the role.

ID  |        EXPIRATION        |    KEYID       |              ROLE
------------------------------------------------------------+--------------------------+--------------------------------------+---------------------------------
<Group ID> | 2022-10-15T17:16:39.449Z | xxxxx | [demo] Demo role

To invite team members, auditors, or others to your desired groups, securely distribute the invite code and have them log in with chainctl as follows.

chainctl auth login --invite-code $INVITE_CODE

Chainguard’s IAM ensures that you can have a specific desired set up for certain groups, and also allows you to manage your users and what access they have.

Last updated: 2023-12-07 15:22