Reading:
Custom roles

Custom roles

Matt Fellows

Whilst the four default roles in Pact should serve most of our customers, many customers will want to modify them to suit their needs - whether to simplify them,  implementing the principal of least privilege for high security environments or for specific use cases.

Following on from the launch of our roles and permissions feature, we have released the ability to create and edit custom roles from the user interface (as always, all features are available via the API).

Creating or editing a role

Creating a new role is simple. Head Settings > Roles where you can view and edit existing roles, or create a new one:

Role management screen

Here you can create a new role, view or edit an existing one. Let's create a new role for a specific use case - updating secrets programmatically!

Example: secrets updater

Let's assume you work in a high security environment, and want to regularly rotate a secret that is used by one or more webhooks to trigger a build. There will be a separate application that runs on a regular schedule that is responsible for sourcing a new credential, and updating it into a Secret via our API.

We'll create a new Role and assign it to a CI user that is assigned to specific team, so that it has the least set of privileges required to function.

Creating a new role

First create a new role with the ability to view and manage secrets associated with the User's team. We only need to assign the secret:manage:team scope to achieve this, which allows create, update and delete operations for team scoped secrets.

Creating a new team secret management role

Assign the role to the system account

We need to associate the role with the System Account who's API token we'll use to run the job:

Assign the system user to the Secret Rotator Role

Assign the System User to the correct team

Lastly, we associate the System User with the team that it is allowed to update the secrets for:

Now our SecretsUpdater user can rotate any secret that has been linked to the SomeSpecialTeam team.

A word of caution

Customising roles is an advanced feature. Be careful when modifying existing roles, as an incorrect set of permissions may result in unintended consequences such as CI build failures or in the worst case may lock you or your team out of the system.

Just remember - with great power, comes great responsibility!

Availability

This feature is available now on all plans.

arrow-up icon