Manage Roles with Reis (YAML Mode)
Custom roles can be declared as kind: role documents and applied with reis apply, so your role definitions live in version control alongside the rest of your infrastructure.
Updated 5 Jul 20261 min read
Custom roles can be declared as kind: role documents and applied with reis apply, so your role definitions live in version control alongside the rest of your infrastructure.
YAML structure
kind: role
spec:
handle: deployer
name: Deployer
description: Manage containers; read-only on credentials
permissions:
- level: project
resource: deployables_container_http
permission: create
- level: project
resource: deployables_container_http
permission: update
- level: project
resource: deployables_container_http
permission: delete
- level: organisation
resource: attachables_registries
permission: readApply it:
reis apply -f roles.ymlHow apply works
- If a role with the given
handlealready exists, its name, description, and permission set are updated to match the YAML. - If no role with that handle exists, a new custom role is created (the handle is derived from the name on first create; set it explicitly to make the file idempotent).
- System roles (
owner,admin,member,viewer) are read-only and are skipped with a message.
The permissions block
Each entry is one grant:
| Field | Values |
|---|---|
level | organisation or project |
resource | resource kind, e.g. deployables_container_http, attachables_registries, deployables_memcached, billing, user |
permission | create, read, update, or delete |
Assigning members and sharing resources
Role assignment and resource sharing are imperative actions (they act on specific users), so they are done with the flag-mode commands rather than declared in YAML:
reis role:assign --user <user-id> --role deployer
reis share:create --user <user-id> --resource-type deployables_container_http --resource-id <container-id> --permission readSee Manage Roles and Sharing with Reis (Flag Mode).