spec:
roles:
- mrn: string # Required: MRN identifier
name: string # Required: Human-readable name
description: string # Optional: Description
policy: string # Required: Policy MRN
annotations: # Optional: Key-value metadata
- name: string
value: string # JSON-encoded value
| Field | Type | Required | Description |
|---|---|---|---|
mrn | string | Yes | Unique MRN identifier |
name | string | Yes | Human-readable name |
description | string | No | Role description |
policy | string | Yes | MRN of policy to apply |
annotations | array | No | List of name/value objects for custom metadata |
Roles are assigned to principals via the mroles claim in the JWT. When a principal has a role, the role's policy is evaluated during Phase 2 (identity phase).
roles:
- mrn: "mrn:iam:role:admin"
name: admin
description: "Full administrative access"
policy: "mrn:iam:policy:allow-all"
- mrn: "mrn:iam:role:viewer"
name: viewer
description: "Read-only access"
policy: "mrn:iam:policy:read-only"
- mrn: "mrn:iam:role:no-access"
name: no-access
description: "No access - for suspended accounts"
policy: "mrn:iam:policy:deny-all"
roles:
- mrn: "mrn:iam:role:regional-admin"
name: regional-admin
description: "Admin for specific region"
policy: "mrn:iam:policy:regional-access"
annotations:
- name: "region"
value: "\"us-west\""
- name: "level"
value: "2"
policies:
- mrn: &allow-all "mrn:iam:policy:allow-all"
name: allow-all
rego: |
package authz
default allow = true
roles:
- mrn: "mrn:iam:role:admin"
name: admin
policy: *allow-all
Can you improve this documentation?Edit on GitHub
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |