decK can manage Kong Gateway Enterprise Role-Based Access Control (RBAC) configuration using the deck gateway diff
, deck gateway sync
, and deck gateway dump
commands.
decK can’t manage Konnect permissions as they are set at the organization level, rather than the Control Plane level. We recommend terraform-provider-konnect for your Konnect RBAC needs.
RBAC configuration is usually stored separately from all other configuration, and decK provides the --rbac-resources-only
flag to ensure that only RBAC resources are in scope when running commands.
RBAC roles accept a list of actions
, a wildcard endpoint (for example,/services/*
), and if the role is negative
or not. A negative RBAC role means that the actions listed are explicitly denied on the endpoint specified, even if allowed by a different permission.
_format_version: "3.0"
rbac_roles:
- comment: Read access to all endpoints, across all workspaces
endpoint_permissions:
- actions:
- read
endpoint: "*"
negative: false
workspace: "*"
name: read-only
- comment: Full access to all endpoints, across all workspaces
endpoint_permissions:
- actions:
- read
- delete
- create
- update
endpoint: "*"
negative: false
workspace: "*"
name: super-admin