Role Management
To fetch a role with the CLI
exo iam role show my-role┼─────────────┼──────────────────────────────────────┼
│ ID │ f37adf2f-1c95-4866-8d73-baadeb3e18a0 │
│ Name │ my-role │
│ Description │ │
│ Editable │ true │
│ Labels │ n/a │
│ Permissions │ n/a │
┼─────────────┼──────────────────────────────────────┼To see it’s policy, add the --policy flag
exo iam role show my-role --policy┼─────────┼────────────────────────────────┼─────────────┼────────────────────────────────────────────────┼
│ SERVICE │ TYPE (DEFAULT STRATEGY "DENY") │ RULE ACTION │ RULE EXPRESSION │
┼─────────┼────────────────────────────────┼─────────────┼────────────────────────────────────────────────┼
│ compute │ rules │ deny │ resources.sks_cluster.name == 'my-sks-cluster' │
│ │ │ allow │ true │
│ dns │ allow │ │ │
┼─────────┼────────────────────────────────┼─────────────┼────────────────────────────────────────────────┼To see the policy in JSON format, add the --output-format json flag
exo iam role my-role --policy --output-format json | jq .{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "deny",
"expression": "resources.sks_cluster.name == 'my-sks-cluster'"
},
{
"action": "allow",
"expression": "true"
}
]
},
"dns": {
"type": "allow"
}
}
}Reusing an existing Role
If you want to copy or slightly modify an existing policy for a new role, you can get the policy directly:
exo iam role show --policy --output-format json example-restricted-role > role-policy.jsonThen
cat role-policy.json | exo iam role create example-restricted-role-copy --policy -Updating a role
exo iam role update example-role --description "hello world"NOTE
The Role policy can only be updated if the role is Editable (default true). This parameter can’t be updated.
cat role-policy-v2.json | exo iam role update example-restricted-role --policy -Deleting a role
exo iam role delete example-role