Access Control
Coldrune uses deny-by-default access control. Without an explicit rule, users with developer or member roles and all service accounts are denied access.
Who needs ACL rules?
Section titled “Who needs ACL rules?”| Subject | ACL required? |
|---|---|
| Org owner | No — full access |
| Org admin | No — full access |
| Org developer | Yes |
| Org member | Yes |
| Service account | Always |
| Superadmin | No — bypasses everything |
Grant access
Section titled “Grant access”This gives Alice write access to all environments in any project starting with api-.
For service accounts, use --subject with the service account name:
Pattern syntax
Section titled “Pattern syntax”Project and environment patterns support glob-like matching:
| Pattern | Matches |
|---|---|
* | Everything |
api-* | api-backend, api-gateway, api-v2 |
*-prod | us-prod, eu-prod |
api-? | api-1, api-x (single character) |
{dev,staging} | dev or staging |
api-{v1,v2} | api-v1 or api-v2 |
Patterns are matched against the actual project or environment name when a secret is accessed.
Permission hierarchy
Section titled “Permission hierarchy”| Level | Allows |
|---|---|
read | Get secret values, list keys |
write | Everything in read + set and delete secrets |
admin | Everything in write + manage ACL rules |
Each level includes all permissions below it. Granting write implicitly grants read.
List rules
Section titled “List rules”Revoke access
Section titled “Revoke access”Upsert behavior
Section titled “Upsert behavior”Granting the same subject + project pattern + env pattern combination updates the existing rule’s permission level instead of creating a duplicate.