Hello all, I am facing an issue here and can't seem to find why. I am using version 0.23.1 This policy works :

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  importDerivedRoles:
    - common_roles
  resource: "candidate:object"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - admin_africa
      condition:
        match:
          expr: request.resource.attr.continents == "africa"

But if I replace the last line with

expr: "africa" in request.resource.attr.continents

then I have the error {"log.level":"warn","@timestamp":"2022-12-16T16:55:20.233Z","log.logger":"cerbos.dir.watch","message":"Failed to read policy from file","dir":"/policies","file":"resource_candidate.yaml","error":"failed to convert YAML to JSON: yaml: line 14: did not find expected key"} Does anybody know why I can't use the "in" keyword here ?

Hey this is a YAML escaping edge case - a line can’t begin with

"

the following will work though:

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  importDerivedRoles:
    - common_roles
  resource: "candidate:object"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - admin_africa
      condition:
        match:
          expr: >
            "africa" in request.resource.attr.continents

aah perfect thank you ! 🙏

You aren’t the first to run into this - we are planning to get some linting around it soon