Manage Roles with Reis (YAML Mode)

Custom roles can be declared as kind: role documents and applied with reis apply, so your role definitions live in version control alongside the rest of your infrastructure.

Updated 5 Jul 20261 min read

Custom roles can be declared as kind: role documents and applied with reis apply, so your role definitions live in version control alongside the rest of your infrastructure.

YAML structure

kind: role
spec:
  handle: deployer
  name: Deployer
  description: Manage containers; read-only on credentials
  permissions:
    - level: project
      resource: deployables_container_http
      permission: create
    - level: project
      resource: deployables_container_http
      permission: update
    - level: project
      resource: deployables_container_http
      permission: delete
    - level: organisation
      resource: attachables_registries
      permission: read

Apply it:

reis apply -f roles.yml

How apply works

  • If a role with the given handle already exists, its name, description, and permission set are updated to match the YAML.
  • If no role with that handle exists, a new custom role is created (the handle is derived from the name on first create; set it explicitly to make the file idempotent).
  • System roles (owner, admin, member, viewer) are read-only and are skipped with a message.

The permissions block

Each entry is one grant:

FieldValues
levelorganisation or project
resourceresource kind, e.g. deployables_container_http, attachables_registries, deployables_memcached, billing, user
permissioncreate, read, update, or delete

Assigning members and sharing resources

Role assignment and resource sharing are imperative actions (they act on specific users), so they are done with the flag-mode commands rather than declared in YAML:

reis role:assign --user <user-id> --role deployer
reis share:create --user <user-id> --resource-type deployables_container_http --resource-id <container-id> --permission read

See Manage Roles and Sharing with Reis (Flag Mode).

See also