Overview of the Chainguard IAM Model

Chainguard Identity and Access Management

Chainguard provides a rich Identity and Access Management (IAM) model similar to those used by AWS and GCP. Once authenticated, you can set up a desired structure for managing and delegating policies.

Role Bindings

There are four built-in role bindings in Chainguard’s IAM model (excluding expiremental roles):

  • Owner
  • Editor
  • Viewer
  • Gulfstream

You can review the capabilities of each of these roles by running chainctl iam role list in order to review the specific capabilities of each of these roles.

Owner is the role with the most privileges. An owner can create, delete, view (list), and modify (update) across policies, groups, account associations, role bindings, and subscriptions. Additionally, an owner can create, delete, and view clusters and group invites. An owner has read-only access to roles and records.

Editor is the role with read access and limited creation and modification access. An editor can create, delete, and view clusters, role bindings, and subscriptions. Additionally, an editor can modify role bindings and subscriptions. As opposed to the owner role, an editor can view policies, records, groups (and group invites), roles, and account association; but an editor cannot make changes to policies, records, groups, roles, and account associations. An editor cannot invite users to groups.

Viewer is a role that generally only has read-only access. That is, a viewer can list policies, groups (and group invites), clusters, records, roles and role bindings, subscriptions, and account associations.

Gulfstream is a role used for Chainguard’s proprietary controller infrastructure, also known as Gulfstream. You can check out our Gulfstream Overview to learn more about how Gulfstream works.

Last updated: 2023-10-26 15:22