HashiCorp Cloud Platform
Access Management
This topic describes HCP's access management features. You can set roles and permissions at either the organization level , project level or resource level to secure access to HCP resources.
Roles & Permissions
HCP uses a role-based access controls (RBAC) system to enable members of your organizations and projects to perform actions in HCP and interact with resources. Some HCP applications allow you to assign roles for specific resources, such as an HCP Packer bucket. Refer to the specific HCP application documentation for more information.
Types of Roles
HCP has general grouping of roles on the platform: Basic (All services) roles and fine grained (service) roles.
Basic (All services) roles contain permissions from all/most services. Consider using basic roles initially when setting up and adopting HCP. However, they should be replaced with fine-grained roles when adding production workloads.
Fine grained (service) roles contain permissions from one or a minimal set of services. They are the preferred method for access management and should be leveraged over basic (All services) roles when applicable.
Inheritance
Each resource in a HCP organization has an IAM policy associated with it that informs about the level of access allowed on that resource. This IAM policy is a data structure that provides a mapping of roles to principals assigned to that resource.
Users inherit role permissions according to the following hierarchy:
- Role assigned in the organization.
- Role assigned in the project.
- Role assigned for the resource.
Permissions are inherited through the resource hierarchy. And they are effective for the resource they are assigned to and all of that resource's descendants.
For example, a user assigned the viewer
role in an organization also has viewer
role permissions for projects within the organization. Moreover, a user assigned the contributor
role in a project also has contributor
role permissions for resources within the project.
If a user has an viewer
role in an organization and admin
role on a project in the same organization, the user receives a concatenation of viewer
and admin
role permissions within that specific project.
Organization
The following tables describe role permissions assigned at the organization level.
HCP Organization Permissions | Owner | Admin | Contributor | Viewer | Browser | No role |
---|---|---|---|---|---|---|
Add and delete users | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Manage user permissions | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
View users | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
View groups | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Manage service principals | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Manage groups | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
View current billing status | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Create projects | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
View projects | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
View project resources | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Request Organization deletion | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
Manage SSO configuration | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Manage billing resources | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
A user can be a part of an organization with no roles assigned directly to them through the SSO default role settings or IAM settings. To enforce least-privileged access, new users will have a limited experience within the platform until an Admin assigns either an organization or project role to the user.
Project
The following tables describe role permissions scope to the project level.
HCP project permissions | Owner | Admin | Contributor | Viewer | Browser |
---|---|---|---|---|---|
View project | ✅ | ✅ | ✅ | ✅ | ✅ |
View project resources | ✅ | ✅ | ✅ | ✅ | ❌ |
Edit project permissions | ✅ | ✅ | ❌ | ❌ | ❌ |
Delete project | ✅ | ✅ | ❌ | ❌ | ❌ |
Create and delete project resources | ✅ | ✅ | ✅ | ❌ | ❌ |
Manage project service principals | ✅ | ✅ | ❌ | ❌ | ❌ |
Assign a project role
To narrow the scope of user permissions, you can set a role on the project level. To add a user to a project, you have to invite the user to the organization first.
- Select the target project.
- Click Access Control (IAM) in the sidebar.
- Select the username.
- From the Role drop-down menu, choose a project-level role to assign to the user. Refer to the project role tables for information about the roles you can assign.
Role Names and Role IDs
To interact with the HCP Access Management system using the HCP Terraform provider or public APIs, you must properly format the role IDs you reference.The table lists role names and the formatting of their Role IDs.
Role name | Role ID |
---|---|
Admin | roles/admin |
Contributor | roles/contributor |
Viewer | roles/viewer |
Browser | roles/resource-manager.browser |