// Cedar Policies for Secrets Management // Defines authorization rules for secret access, rotation, and management // Based on environment, workspace, domain, and secret type // ============================================================================ // DEVELOPMENT ENVIRONMENT: Relaxed Access // ============================================================================ // Developers can access their workspace secrets in development @id("dev-secret-access-developers") permit ( principal in Provisioning::Team::"developers", action in [Provisioning::Action::"access", Provisioning::Action::"read"], resource is Provisioning::Secret ) when { // Only allow access to development workspace secrets resource.workspace in Provisioning::Environment::"development" }; // Developers can create and update secrets in development (with MFA preferred) @id("dev-secret-create-developers") permit ( principal in Provisioning::Team::"developers", action in [Provisioning::Action::"create", Provisioning::Action::"update"], resource is Provisioning::Secret ) when { resource.workspace in Provisioning::Environment::"development" }; // Developers can rotate secrets in development @id("dev-secret-rotate-developers") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"rotate", resource is Provisioning::Secret ) when { resource.workspace in Provisioning::Environment::"development" }; // ============================================================================ // PRODUCTION ENVIRONMENT: Strict Requirements // ============================================================================ // Production secret access requires MFA verification @id("prod-secret-access-mfa-required") permit ( principal, action == Provisioning::Action::"access", resource is Provisioning::Secret ) when { // Enforce MFA for all production secret access context.mfa_verified == true && // Secret must not be expired resource.is_expired == false && // Check environment context resource.workspace in Provisioning::Environment::"production" }; // Production list operations require authentication (no MFA needed) @id("prod-secret-list-authenticated") permit ( principal, action == Provisioning::Action::"list", resource is Provisioning::Secret ) when { resource.workspace in Provisioning::Environment::"production" }; // Production secret creation requires approval and MFA @id("prod-secret-create-approval") permit ( principal, action == Provisioning::Action::"create", resource is Provisioning::Secret ) when { // Require MFA and approval for production secrets context.mfa_verified == true && context.approval_id != "" && resource.workspace in Provisioning::Environment::"production" }; // Production secret updates require MFA @id("prod-secret-update-mfa") permit ( principal, action == Provisioning::Action::"update", resource is Provisioning::Secret ) when { context.mfa_verified == true && resource.workspace in Provisioning::Environment::"production" }; // Production secret deletion requires strong approval workflow @id("prod-secret-delete-restricted") permit ( principal in Provisioning::Role::"admin", action == Provisioning::Action::"delete", resource is Provisioning::Secret ) when { context.mfa_verified == true && context.approval_id != "" && resource.workspace in Provisioning::Environment::"production" }; // ============================================================================ // TTL CONSTRAINTS // ============================================================================ // Prevent long-lived secrets in production @id("prod-secret-ttl-limit") forbid ( principal, action == Provisioning::Action::"create", resource is Provisioning::Secret ) when { // Maximum 7 days (168 hours) for production secrets resource.ttl_hours > 168 && resource.workspace in Provisioning::Environment::"production" }; // ============================================================================ // DOMAIN-BASED ACCESS CONTROL // ============================================================================ // Database administrators can access database secrets @id("database-access-dba") permit ( principal in Provisioning::Role::"database_admin", action in [Provisioning::Action::"access", Provisioning::Action::"rotate"], resource is Provisioning::Secret ) when { // Match database-related domains resource.domain in ["postgres", "mysql", "redis", "mongodb", "elasticsearch"] }; // Infrastructure team can access SSH secrets @id("ssh-access-infra") permit ( principal in Provisioning::Role::"infrastructure", action in [Provisioning::Action::"access", Provisioning::Action::"rotate"], resource is Provisioning::Secret ) when { resource.domain == "ssh" }; // API owners can access application secrets for their domain @id("app-secret-access-owner") permit ( principal, action in [Provisioning::Action::"access", Provisioning::Action::"rotate"], resource is Provisioning::Secret ) when { // Check if user is a team member with app management role principal in Provisioning::Team::"app_developers" && resource.domain in ["web-api", "backend", "mobile-api", "integration-api"] }; // ============================================================================ // TAG-BASED POLICIES // ============================================================================ // Only security admins can access secrets tagged "critical" @id("critical-secrets-admin-only") permit ( principal in Provisioning::Role::"security_admin", action, resource is Provisioning::Secret ) when { resource.tags.contains("critical") }; // Restrict "legacy" tagged secrets to specific team @id("legacy-secrets-restricted") permit ( principal in Provisioning::Team::"legacy_support", action in [Provisioning::Action::"access", Provisioning::Action::"read"], resource is Provisioning::Secret ) when { resource.tags.contains("legacy") }; // Deny access to "deprecated" secrets @id("deprecated-secrets-deny") forbid ( principal, action == Provisioning::Action::"access", resource is Provisioning::Secret ) when { resource.tags.contains("deprecated") }; // ============================================================================ // ROTATION POLICIES // ============================================================================ // Auto-rotated secrets can be rotated by automation @id("auto-rotate-permitted") permit ( principal in Provisioning::Team::"automation", action == Provisioning::Action::"rotate", resource is Provisioning::Secret ) when { resource.auto_rotate == true }; // Manual rotation of production secrets requires approval @id("prod-rotate-approval") permit ( principal, action == Provisioning::Action::"rotate", resource is Provisioning::Secret ) when { context.approval_id != "" && context.mfa_verified == true && resource.workspace in Provisioning::Environment::"production" && resource.auto_rotate == false }; // ============================================================================ // WORKSPACE ISOLATION // ============================================================================ // Users cannot access secrets outside their workspace // This is enforced at the API level through query filtering // Cedar policy ensures defense-in-depth // Only workspace members can access workspace secrets @id("workspace-isolation-member") permit ( principal, action in [Provisioning::Action::"access", Provisioning::Action::"read", Provisioning::Action::"list"], resource is Provisioning::Secret ) when { // Principal must be a member of the workspace principal in resource.workspace }; // ============================================================================ // ADMIN PRIVILEGES // ============================================================================ // System administrators can perform any secret operation in any workspace @id("admin-full-access") permit ( principal in Provisioning::Role::"admin", action, resource is Provisioning::Secret ) when { context.mfa_verified == true }; // Security admins can access all secrets for audit and compliance @id("security-audit-access") permit ( principal in Provisioning::Role::"security_admin", action in [Provisioning::Action::"access", Provisioning::Action::"read", Provisioning::Action::"list"], resource is Provisioning::Secret ) when { true // Full access for audit purposes (logged in audit trail) }; // ============================================================================ // TYPE-SPECIFIC RULES // ============================================================================ // SSH key access requires MFA in production @id("ssh-key-mfa-prod") permit ( principal, action == Provisioning::Action::"access", resource is Provisioning::Secret ) when { resource.secret_type == "ssh" && context.mfa_verified == true && resource.workspace in Provisioning::Environment::"production" }; // Provider credential access requires strong authentication @id("provider-cred-mfa") permit ( principal, action == Provisioning::Action::"access", resource is Provisioning::Secret ) when { resource.secret_type == "provider" && context.mfa_verified == true }; // Database secret access requires database admin role @id("database-cred-admin") permit ( principal in Provisioning::Role::"database_admin", action == Provisioning::Action::"access", resource is Provisioning::Secret ) when { resource.secret_type == "database" }; // Application secrets require development team membership @id("app-secret-dev-team") permit ( principal in Provisioning::Team::"app_developers", action in [Provisioning::Action::"access", Provisioning::Action::"read"], resource is Provisioning::Secret ) when { resource.secret_type == "application" }; // ============================================================================ // DEFAULT DENY (Most restrictive) // ============================================================================ // Explicit deny as fallback (defense-in-depth) // All access requires an explicit permit policy above