Access Control for Go modules hosted in Binara
Binara for Go Modules tightly integrates with Deployport IAM to provide full control over access to modules.
Team access for private modules
Section titled “Team access for private modules”To access a private Go module, you can use the following commands:
deployport binara go get <repo>:<module>@v<version>or
deployport binara go exec -- go get <private-module-path>Both commands authenticate the go get commands for the currently logged-in user in the CLI for the current profile.
Policies
Section titled “Policies”If you published the module using your deployport identity, you likely have the proper permissions to use the module as well.
If you’re not the user who published the module but want to consume it, you’ll likely need an access policy to pull the private version.
Under the hood, Binara stores Go modules in an abstract object called a “binara package”, and each binara package lives inside a repository.
Say your repository is called “myrepo” and the Go module is called “mygomodule”. Under the hood, the object hierarchy looks like this:
Directoryrepositories
Directorymyrepo
Directorypackages
- mygomodule
This allows you to control access at both repository and package levels very easily.
For example, the following policy allows an IAM identity to perform all actions in Binara for your account:
{ "name": "binara-admin", "statements": [ { "actions": [ "binara:*" // allows performing all Binara actions ], "resources": [ "binara:*", // all Binara resources ], "effect": "allow" }, ],}You can create this policy using the following command:
deployport iam identity-policy create -f binara-admin.jsonThe following policy allows a user to pull all modules inside a repository called myrepo:
{ "name": "myrepo-consumer", "statements": [ { "actions": [ "binara:*" ], "resources": [ "binara:Repository(myrepo).*", // all resources inside myrepo repository ], "effect": "allow" }, ],}Pulling private go module using Binara Universal Package Name
Section titled “Pulling private go module using Binara Universal Package Name”Assuming you have a repo called myrepo and a Go module mygomodule, the following identity policy contains the minimum permissions to perform the go get using the binara CLI:
{ "name": "mygomodule-consumer", "statements": [ { "actions": [ "binara:GetAuthorizationToken", "iam:GetServiceBearerToken" ], "resources": [ "*" ], "effect": "allow" }, { "actions": [ "binara:ListRepositories", "binara:GetRepositoryInstructions", "binara:PullPrivatePackage", "binara:GetRepositoryEndpoint" ], "resources": [ "binara:Repository(myrepo)", //repository name "binara:Repository(myrepo).Package(mygomodule)" // go module name ], "effect": "allow" }, ],}Now whichever identity you attach the policy to can perform the following command:
deployport binara go get --visibility private myrepo:mygomodule@0.1.0And your module will be added to go.mod.
You can find out what your go module path is by running:
deployport binara go version get-module-path myrepo:mygomodule@0.1.0Pulling private go module using wrapped go get
Section titled “Pulling private go module using wrapped go get”Assuming you have a repo myrepo and a Go module billing-core, the following identity policy would allow a wrapped go get call:
{ "name": "billing-core-consumer", "statements": [ { "actions": [ "binara:GetAuthorizationToken", "iam:GetServiceBearerToken" ], "resources": [ "*" ], "effect": "allow" }, { "actions": [ "binara:PullPrivatePackage" ], "resources": [ "binara:Repository(myrepo).Package(billing-core)" ], "effect": "allow" } ]}You can grab the module path for a version as follows:
deployport binara go version get-module-path myrepo:billing-core@0.1.0Would yield something like myrepo-acc95.r.us-nyc.deployport.io/go/billing-core@v0.1.0.
Then you can perform a wrapped go get:
deployport binara go exec -- go get myrepo-acc95.r.us-nyc.deployport.io/go/billing-core@v0.1.0Your module will be added to go.mod.