Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Access control to restrict groups of users to specified paths

See original GitHub issue

From @gdenn on October 13, 2017 7:25

Feature Request


We access the same credhub with multiple users through the credhub cli. But i don’t want everyone to see all the variables in the credhub. E.g. we have credentials only relevant for specific Concourse Pipelines, credentials needed by an Administrator for our bosh deployment or simple credentials that help apps to access their dashboard.

As we are redeploying our bosh from time to time to include new features, it is important to us that the different people can access their passwords without conducting a system administrator. But on the other hand we don’t want to expose all credentials to everyone.


credhub cli could support different user groups. Each group gets e.g. access to a certain set of credentials that match a prefix. For our Concourse users this prefix would be /concourse.

With the different user groups i could create user accounts with only the access permissions i am comfortable to give.


Copied from original issue: cloudfoundry-incubator/credhub-cli#19

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

captainblandcommented, Feb 20, 2018

Similar to this, there is an issue where we’d like to allow multiple Concourse teams to self-serve effectively. Giving them the rights to manage their own credentials without accessing other teams’ credentials would be a big step towards achieving that.

Otherwise we have to restrict access to CredHub and there’s a bottleneck in teams wanting to maintain their own pipelines. Credentials then have to be transmitted from different teams to those with access to CredHub which increases the surface area for an attacker trying to steal credentials.

martyspiewakcommented, Sep 27, 2018

@jagadish-kb If the permissions aren’t being respected it’s probably because ACL’s aren’t being enabled. See the spec file for information on how to enable this. Prior to 2.0 this was not enabled by default.

These issues seem to be addressed in CredHub 2.0- you can now specify permissions on namespaces of credentials. See the release notes for more information.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configuring user access control and permissions
Learn how to configure user access control and permissions using Active Directory or Azure AD (Project Honolulu)
Read more >
Limiting Access to Areas of Your Server
Procedure To limit access to a file type · Use the Server Manager to select the server instance. · Choose the Preferences tab....
Read more >
How-to restrict access of the users from different groups ...
Procedure. Setup Policy_A and Policy_B to have access to different paths of the KV secrets; Enable the KV secret engine to 2 different...
Read more >
Path-Based Authorization
One set of users may have permission to write to a certain directory in the ... As files are paths, too, it's even...
Read more >
Controlling access to AWS resources using policies
This condition ensures that access will be denied to the specified user group management actions when the user making the call is not...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found