https://cerbos.dev logo
Join SlackCommunities
Powered by
I'm looking at <https://docs.cerbos.dev/cerbos/lat...
# help
j
I'm looking at https://docs.cerbos.dev/cerbos/latest/configuration/storage.html and I notice for the blob driver I don't see any examples where you can specify credentials for connecting to the blob storage service. Is it assumed that the blob storage service provides unrestricted access to cerbos?
Copy code
storage:
  driver: "blob"
  blob:
    bucket: "<gs://my-bucket-name>"
    workDir: ${HOME}/tmp/cerbos/work
    updatePollInterval: 10s
So how do I ensure my blob storage service is only accessible to Cerbos? I don't want prying eyes to see the policies in my blob storage service.
With GIT driver, I can see where you need to include credentials.
Copy code
storage:
  driver: "git"
  git:
    protocol: https
    url: <https://github.com/cerbos/policy-test.git>
    branch: main
    subDir: policies
    checkoutDir: ${HOME}/tmp/work/policies
    updatePollInterval: 60s
    operationTimeout: 30s
    https:
      username: cerbos
      password: ${GITHUB_TOKEN}
d
Credentials are taken from environment.
For example, you can use 
GOOGLE_APPLICATION_CREDENTIALS
environment variable to specify service account key
👍 1
j
Is there cerbos documentation that explains this? Can you kindly point me to it?
So in the yaml for the storage driver, how do I specify it to use the environment variable? For example with gcs, what do I put in the yaml?
d
Sorry, the docs do not say much now - we should expand it. The docs might have a reference to the appropriate cloud provider documentation, because Cerbos does not do anything about authentication and delegate this to SDK which takes credentials from environment.
j
Aaah i see. Ok thank you.
d
The only exception is that you can add query parameters to the bucket URL:
Copy code
// The following query parameters are supported:
//
//   - access_id: sets Options.GoogleAccessID
//   - private_key_path: path to read for Options.PrivateKey
//
// Currently their use is limited to SignedURL.
This probably sounds obscure unfortunately
j
Om
Thanks.
3 Views
Open in Slack
PreviousNext
Powered by