Barbican Policies
Introduction
This document presents the permissions available for observer and creator roles on the Barbican service (key management) of Infomaniak Public Cloud, based on OpenStack default policies.
Context
Application Credentials must be created with the appropriate role according to functional needs. Use observer for read-only secret access, creator for full secret management.
Barbican-Specific Roles
observer- Read-only access to secrets and containers in Barbican (Barbican-specific equivalent ofreader)creator- Create and manage secrets and owned project resources
Legend
| Symbol | Meaning |
|---|---|
 |
Allowed - The policy explicitly permits this action |
 |
Forbidden - The policy explicitly denies this action |
 |
Conditional - Allowed based on ownership, visibility or ACL permissions |
Main Secret Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List secrets | GET /v1/secrets |
secrets:get |
|
|
Project only |
| Show secret | GET /v1/secrets/{id} |
secret:get |
|
|
Based on ownership* |
| Create secret | POST /v1/secrets |
secrets:post |
|
|
Project member |
| Update secret payload | PUT /v1/secrets/{id} |
secret:put |
|
|
Secret owner |
| Delete secret | DELETE /v1/secrets/{id} |
secret:delete |
|
|
Secret owner |
*Ownership rules: project admin, secret owner, or non-private secret in project
Secret Data Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| Decrypt secret | GET /v1/secrets/{id}/payload |
secret:decrypt |
|
|
Based on ownership* |
*Ownership rules: project admin, secret owner, non-private secret in project, or ACL read permission
Secret Metadata Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List metadata | GET /v1/secrets/{id}/metadata |
secret_meta:get |
|
|
Based on ownership* |
| Show metadata | GET /v1/secrets/{id}/metadata/{key} |
secret_meta:get |
|
|
Based on ownership* |
| Create metadata | POST /v1/secrets/{id}/metadata/{key} |
secret_meta:post |
|
|
Secret owner |
| Update metadata | PUT /v1/secrets/{id}/metadata |
secret_meta:put |
|
|
Secret owner |
| Update specific metadata | PUT /v1/secrets/{id}/metadata/{key} |
secret_meta:put |
|
|
Secret owner |
| Delete metadata | DELETE /v1/secrets/{id}/metadata/{key} |
secret_meta:delete |
|
|
Secret owner |
*Ownership rules: project admin, secret owner, non-private secret in project, or ACL read permission
Secret ACL Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| Get secret ACL | GET /v1/secrets/{id}/acl |
secret_acls:get |
|
|
Based on ownership* |
| Create/Update ACL | PUT /v1/secrets/{id}/acl |
secret_acls:put_patch |
|
|
Secret owner |
| Patch ACL | PATCH /v1/secrets/{id}/acl |
secret_acls:put_patch |
|
|
Secret owner |
| Delete ACL | DELETE /v1/secrets/{id}/acl |
secret_acls:delete |
|
|
Secret owner |
*Ownership rules: project admin, secret owner, or non-private secret in project
Secret Consumers Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List consumers | GET /v1/secrets/{id}/consumers |
secret_consumers:get |
|
|
Based on ownership* |
| Create consumer | POST /v1/secrets/{id}/consumers |
secret_consumers:post |
|
|
Secret owner |
| Delete consumer | DELETE /v1/secrets/{id}/consumers |
secret_consumers:delete |
|
|
Secret owner |
*Ownership rules: project admin, secret owner, non-private secret in project, or ACL read permission
Container Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List containers | GET /v1/containers |
containers:get |
|
|
Project only |
| Show container | GET /v1/containers/{id} |
container:get |
|
|
Based on ownership* |
| Create container | POST /v1/containers |
containers:post |
|
|
Project member |
| Delete container | DELETE /v1/containers/{id} |
container:delete |
|
|
Container owner |
*Ownership rules: project admin, container owner, non-private container in project, or ACL read permission
Container Secrets Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| Add secret | POST /v1/containers/{id}/secrets |
container_secret:post |
|
|
Container owner |
| Remove secret | DELETE /v1/containers/{id}/secrets/{secret_id} |
container_secret:delete |
|
|
Container owner |
Container ACL Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| Get container ACL | GET /v1/containers/{id}/acl |
container_acls:get |
|
|
Based on ownership* |
| Create/Update ACL | PUT /v1/containers/{id}/acl |
container_acls:put_patch |
|
|
Container owner |
| Patch ACL | PATCH /v1/containers/{id}/acl |
container_acls:put_patch |
|
|
Container owner |
| Delete ACL | DELETE /v1/containers/{id}/acl |
container_acls:delete |
|
|
Container owner |
*Ownership rules: project admin, container owner, or non-private container in project
Container Consumers Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List consumers | GET /v1/containers/{id}/consumers |
container_consumers:get |
|
|
Based on ownership* |
| Create consumer | POST /v1/containers/{id}/consumers |
container_consumers:post |
|
|
Container owner |
| Delete consumer | DELETE /v1/containers/{id}/consumers |
container_consumers:delete |
|
|
Container owner |
*Ownership rules: project admin, container owner, non-private container in project, or ACL read permission
Orders Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List orders | GET /v1/orders |
orders:get |
|
|
Project only |
| Show order | GET /v1/orders/{id} |
order:get |
|
|
Project member |
| Create order | POST /v1/orders |
orders:post |
|
|
Project member |
| Delete order | DELETE /v1/orders/{id} |
order:delete |
|
|
Project member |
Quotas Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| Get quotas | GET /v1/quotas |
quotas:get |
|
|
Project only |
Secret Stores Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List secret stores | GET /v1/secret-stores |
secretstores:get |
|
|
Global information |
| Show secret store | GET /v1/secret-stores/{id} |
secretstore:get |
|
|
Global information |
| Get global default | GET /v1/secret-stores/global-default |
secretstores:get_global_default |
|
|
Global information |
| Get preferred | GET /v1/secret-stores/preferred |
secretstores:get_preferred |
|
|
Project setting |
Transport Keys Management
| Operation | Endpoint | Policy | Observer | Creator | Conditions |
|---|---|---|---|---|---|
| List transport keys | GET /v1/transport_keys |
transport_keys:get |
|
|
Global information |
| Show transport key | GET /v1/transport_keys/{id} |
transport_key:get |
|
|
Global information |
Capabilities Summary by Role
Granted permissions:
- View project secrets and containers
- View public and shared resources
- Decrypt authorized secrets
- View metadata and ACLs
- View orders and quotas
- View secret stores information
Limitations:
- No creation or modification actions
- No ACL or metadata management
- No consumer management
Granted permissions:
- All Observer capabilities
- Create secrets and containers
- Full access to existing secrets owned by the project
- Modify and delete owned resources
- Manage metadata and ACLs
- Manage consumers
- Create and manage orders
Limitations:
- Limited to project-scoped operations
- Resource deletion restricted to owned resources
Usage Examples
Secret Consultation Application
Use case: Application reading configuration secrets
Recommended role: observer
# Application Credential
role: observer
# Possible actions
- openstack secret list
- openstack secret get <secret-id>
- openstack secret get --payload <secret-id>
Secret and Certificate Automation Application (Creator)
Use case: Dedicated secret management, certificate automation
Recommended role: creator
# Application Credential
role: creator
# Possible actions
- openstack secret store --name db-password --payload 'mysecret'
- openstack secret container create --name ssl-certs
- openstack secret get --payload <secret-id>
- openstack secret delete <secret-id>
Advantage: Full access to project secrets with creation and deletion capabilities scoped to the project
Context Variables
Policies use the following variables to determine authorizations:
| Variable | Description |
|---|---|
%(target.secret.project_id)s |
Secret owner project ID |
%(target.secret.creator_id)s |
Secret creator user ID |
%(target.secret.read_project_access)s |
Secret visibility status |
%(target.container.project_id)s |
Container owner project ID |
%(target.container.creator_id)s |
Container creator user ID |
%(target.order.project_id)s |
Order owner project ID |
%(enforce_new_defaults)s |
Enable new default policies |
Important Notes
Best Practices
- Principle of least privilege: Use the
observerrole if you only need to read secrets - Resource ownership: Only resource owners can modify secrets and containers
- Private vs Public: Manage resource visibility through ACLs
- Application Credentials management: Create specific credentials per use case
Security Considerations
- Secret payloads are sensitive data - ensure proper access control
- ACLs allow cross-project sharing - use with caution
- Private resources are only accessible by their creators and project admins