How to Manage Chainguard IAM Organizations

Using Identity and Access Management in Chainguard

Chainguard provides a rich Identity and Access Management (IAM) model similar to those used by AWS and GCP. This guide outlines how to manage Chainguard’s IAM structures with the chainctl command line tool.

Note: You should work with Chainguard’s Customer Success team to create or delete organizations. This will help to ensure that no users lose access to resources and that your IAM structure is configured correctly.

Logging in

To authenticate into the Chainguard platform, run the following login command.

chainctl auth login

A web browser window will open to prompt you to log in via your chosen OIDC flow. Select an account with which you wish to register. Once authenticated, you can set up an organization.

Listing Organizations

At any time, you can list the organizations your account has access to by using the list subcommand. To make it more human readable, you can output the information as a table by passing -o table to the end of the command.

chainctl iam organizations list

You’ll get output regarding each of the organizations the user you’re logged in as belongs to, including a description of each organization, if available.

[demo-org] This is a shared IAM organization for running demos
[tutorial-org] This is a shared IAM organization for tutorials.

You can retrieve your organizations’ UIDPs by adding the -o table option to the previous list command.

chainctl iam organizations list -o table
          ID          |     NAME     |  	DESCRIPTION
  <Organization UIDP> | tutorial-org | This is a shared IAM
                      |              | organization for tutorials.
  <Organization UIDP> | demo-org     | This is a shared IAM
                      |              | organization for running demos

Some other chainctl functions require you to know an organization’s UIDP, making this a useful option to remember.

Inviting Others to an Organization

You can use chainctl to generate invite codes in order to invite others to a specific organization.

To do so, run the following command, making sure to replace $ORGANIZATION with the name of your chosen organization.

chainctl iam invite create $ORGANIZATION

You will be prompted for the scope that the invite code will be granted. After selecting the role-bindings, this command will generate both an invite code and an invite link. If you ever lose the invite code, you can retrieve a list of active invite codes with the following chainctl command:

chainctl iam invite list

This will provide output in the form of a table with the organization ID, a timestamp indicating when the invitation to the organization will expire, the invite code’s key ID, and the selected role.

          ID          |        EXPIRATION        |     KEYID     |          	ROLE          	 
  <Organization UIDP> | 2024-03-23T00:55:04.813Z | <Invite code> | [editor] Editor            	 

Note that this invite code found under the KEYID column will be shorter than the one returned in the output of the chainctl iam invite create command, but they are effectively the same.

To invite team members, auditors, or others to your desired organizations, securely distribute the invite code and have them log in with chainctl as follows.

chainctl auth login --invite-code $INVITE_CODE

You can also securely distribute the invite link and have users open it in their web browser to log in and join the organization.

Note that you can tighten the scope of an invite code by including the --email and --ttl flags when creating the invite.

chainctl iam invite create $ORGANIZATION --email --ttl 24h

In this example, the invitation is scoped to a user with the email address If someone with a different email address tries to use the code it will not work. The --ttl option in this example means that the code will expire in 24 hours.

Learn more

In addition to inviting other users to your organization, you can set up assumable identities to allow automation systems — like Buildkite or GitHub Actions — to perform certain administrative tasks for your organization. To learn more, we encourage you to check out our Overview of Assumable Identities as well as our collection of Assumable Identity Examples.

You may also be interested in setting up a Custom Identity Provider for your organization. By default, users can log in with GitHub GitLab, and Google, but a Custom IDP can allow members of your organization to log in to Chainguard with a corporate identity provider like Okta, Azure Active Directory, or Ping Identity.

Last updated: 2024-04-03 15:22