Whilst the four default roles in Pact should serve most of our customers, many customers will want to modify them to suit their needs - whether to simplify them, implementing the principal of least privilege for high security environments or for specific use cases.
Following on from the launch of our roles and permissions feature, we have released the ability to create and edit custom roles from the user interface (as always, all features are available via the API).
Creating or editing a role
Creating a new role is simple. Head Settings > Roles where you can view and edit existing roles, or create a new one:
Here you can create a new role, view or edit an existing one. Let's create a new role for a specific use case - updating secrets programmatically!
Example: secrets updater
Let's assume you work in a high security environment, and want to regularly rotate a secret that is used by one or more webhooks to trigger a build. There will be a separate application that runs on a regular schedule that is responsible for sourcing a new credential, and updating it into a Secret via our API.
We'll create a new Role and assign it to a CI user that is assigned to specific team, so that it has the least set of privileges required to function.
Creating a new role
First create a new role with the ability to view and manage secrets associated with the User's team. We only need to assign the secret:manage:team scope to achieve this, which allows create, update and delete operations for team scoped secrets.
Assign the role to the system account
We need to associate the role with the System Account who's API token we'll use to run the job:
Assign the System User to the correct team
Lastly, we associate the System User with the team that it is allowed to update the secrets for:
Now our SecretsUpdater user can rotate any secret that has been linked to the SomeSpecialTeam team.
A word of caution
Customising roles is an advanced feature. Be careful when modifying existing roles, as an incorrect set of permissions may result in unintended consequences such as CI build failures or in the worst case may lock you or your team out of the system.
Just remember - with great power, comes great responsibility!
Availability
This feature is available now on all plans.
