Documentation Index
Fetch the complete documentation index at: https://docs.opentaco.dev/llms.txt
Use this file to discover all available pages before exploring further.
Role Based Access Control
Notes
- Available only when using bucket storage (not in-memory).
OpenTaco includes a comprehensive RBAC system that allows you to control access to Terraform states based on user roles and permissions. The RBAC system is only available when using S3 storage (not in-memory storage).
Overview
The RBAC system consists of three main components:
- Permissions - Define what actions are allowed on what resources
- Roles - Collections of permissions that can be assigned to users
- Users - Individuals who are assigned roles
Key Features
- Resource-specific permissions - Use wildcards like
dev/* to limit access to specific directories
- Permission-based access control - Create reusable permissions with specific rules
- Permission testing - Test what users can do without executing operations
- Email-based user management - Use email addresses for user-friendly role assignments
- Wildcard support - Use
* for actions or resources to grant broad permissions
- Deny rules - Explicitly deny access with
deny effect rules
Quick Start
1. Initialize RBAC
# Login first
taco login
# Initialize RBAC for your user
taco rbac init
2. Create Permissions
# Create a permission for developer access to dev environments
taco rbac permission create dev-access "Developer Access" "Access to dev environments" \
--rule "allow:unit.read,unit.write,unit.lock:dev/*"
# Create a permission for production read-only access
taco rbac permission create prod-read "Production Read" "Read-only access to production" \
--rule "allow:unit.read:myapp/prod"
# Create a permission for admin full access
taco rbac permission create admin-full "Admin Full Access" "Full system access" \
--rule "allow:unit.read,unit.write,unit.lock,unit.delete:*" \
--rule "allow:rbac.manage:*"
3. Create Roles
# Create roles (initially with no permissions)
taco rbac role create developer "Developer" "Can access dev environments"
taco rbac role create viewer "Viewer" "Can view production units"
taco rbac role create admin "Administrator" "Full system access"
4. Assign Permissions to Roles
# Assign the dev-access permission to the developer role
taco rbac role assign-permission developer dev-access
# Assign the prod-read permission to the viewer role
taco rbac role assign-permission viewer prod-read
# Assign the admin-full permission to the admin role
taco rbac role assign-permission admin admin-full
5. Assign Roles to Users
# Assign roles to users (by email)
taco rbac user assign john.doe@example.com developer
taco rbac user assign jane.smith@example.com viewer
taco rbac user assign admin@example.com admin
6. Test Permissions
# Test if a user can lock a specific unit
taco rbac test john.doe@example.com lock dev/myapp
# Test if a user can push to a unit
taco rbac test john.doe@example.com unit push myapp/prod
Permission Rules
Permissions define access rights using rules in the format: effect:actions:resources
Effects
allow - Grant permissiondeny - Explicitly deny permission (overrides allow rules)
Actions
unit.read - Read unit tfstate dataunit.write - Write unit tfstate dataunit.lock - Lock/unlock unitsunit.delete - Delete unitsrbac.manage - Manage RBAC (roles, policies, users)* - All actions
Resources
* - All resourcesmyapp/prod - Specific unitdev/* - All units under dev/ directorymyapp/* - All units under myapp/ directory
Examples
# Allow read/write access to all dev environments
allow:unit.read,unit.write:dev/*
# Allow full access to specific production unit
allow:unit.read,unit.write,unit.lock,unit.delete:myapp/prod
# Deny deletion of production units
deny:unit.delete:myapp/prod
# Allow RBAC management
allow:rbac.manage:*
Complete Example Workflow
# 1. Initialize RBAC
taco rbac init
# 2. Create permissions
taco rbac permission create dev-access "Developer Access" "Access to dev environments" \
--rule "allow:unit.read,unit.write,unit.lock:dev/*"
taco rbac permission create prod-read "Production Read" "Read-only access to production" \
--rule "allow:unit.read:myapp/prod"
# 3. List permissions to verify
taco rbac permission list
# 4. Create roles
taco rbac role create developer "Developer" "Can access dev environments"
taco rbac role create viewer "Viewer" "Can view production states"
# 5. Assign permissions to roles
taco rbac role assign-permission developer dev-access
taco rbac role assign-permission viewer prod-read
# 6. List roles to verify permissions are assigned
taco rbac role list
# 7. Assign roles to users
taco rbac user assign john.doe@example.com developer
taco rbac user assign jane.smith@example.com viewer
# 8. Test permissions
taco rbac test john.doe@example.com lock dev/myapp
taco rbac test john.doe@example.com lock myapp/prod
taco rbac test jane.smith@example.com read myapp/prod
taco rbac test jane.smith@example.com write myapp/prod
Managing Role-Permission Relationships
Assign Additional Permissions to a Role
# Add more permissions to an existing role
taco rbac permission create staging-access "Staging Access" "Access to staging" \
--rule "allow:unit.read,unit.write:myapp/staging"
taco rbac role assign-permission developer staging-access
Revoke Permissions from Roles
# Remove a permission from a role
taco rbac role revoke-permission developer staging-access
List Roles to See Assigned Permissions
# View all roles and their assigned permissions
taco rbac role list
Troubleshooting
RBAC Not Available
If you get errors about RBAC not being available:
- Ensure you’re using S3 storage (not in-memory)
- Make sure you’ve run
taco rbac init
- Check that you’re logged in with
taco whoami
Permission Denied
If you get permission denied errors:
- Check your roles with
taco rbac me
- Test permissions with
taco rbac test <email> <operation>
- Verify permissions are assigned to your roles
- Check that the permissions have the correct rules for the resource you’re trying to access
User Not Found
If you get “user not found” errors when testing permissions:
- Make sure the user has been assigned at least one role
- Check user assignments with
taco rbac user list
- Ensure the email address is correct and matches what was used during login
RBAC in storage
You can see the rbac folder in storage in your configured bucket. If you want to disable or remove rbac, simply delete the rbac folder. You can also manually edit role and permissions or upload new ones directly to the storage bucket.
