Managing permissions
This page covers managing permissions for Earthly Cloud products, such as Earthly Cloud Secrets, and Earthly Satellites.
Earthly Cloud's permissions model has two security boundaries:
- Earthly orgs
- Earthly projects
Users may be invited to a specific organization, and optionally to specific projects within the organization.
Earthly orgs may contain the following shared resources:
- Satellites
- Earthly projects
Earthly projects, in turn, may contain the following resources:
- Secrets
- Pipelines
- Build history, including build logs
Within an Earthly org, users may be granted one of the following access levels:
read: Can view the org, projects, and user membership. Can also view, inspect, wake and build on satellites.read+secrets: Same as read, but can also view and use secrets.write: Everything inread+secrets, plus the ability to create and modify satellites, projects, and secrets.admin: Can manage the org, including adding and removing users, and managing projects, secrets and satellites.
Having a certain level of access for a given org automatically grants the same level of access to all projects within that org.
To grant access to an Earthly org, you must invite the user to the org. This can be done by running:
earthly org invite --permission <access-level> <email>
If the user is already part of the org, you can change their access level by running:
earthly org member update --permission <permission> <email>
If you want to revoke access to an Earthly org, you can do so by running:
earthly org member rm <email>
Within an Earthly project, users may be granted one of the following access levels:
read: Can view the project, including the build history and build logs.read+secrets: Same as read, but can also view and use secrets.write: Everything inread+secrets, plus the ability to create and modify secrets.admin: Everything inwrite, plus the ability to manage the project's users.
To grant access to an Earthly project, you must invite the user to the project. This can be done by running:
earthly project --project <project-name> member add --permission <access-level> <email>
Note
You can only invite a user to a project if they are already part of the organization.
If the user is already part of the project, you can change their access level by running:
earthly project --project <project-name> member update --permission <permission> <email>
If you want to revoke access to an Earthly project, you can do so by running:
earthly project --project <project-name> member rm <email>
Last modified 1mo ago