The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

Access Compliance

This policy example will check if the actor identifier is equal to “my-credentials” and the secret name contains “my-secret”. The policy will be non-compliant if the actor identifier is not equal to “my-credentials” or the secret name does not contain “my-secret”.

Policy Execution Time

This policy example should be executed on Read events.

Default Deny, Allow Case-by-Case Policy Code

package main
import rego.v1 

default allow := false
credentials_list := ["my-credentials", "my-other-credentials"]
secret_name := "my-secret"
allow if {
    input.ActorIdentifier == credentials_list[_]
    contains(input.SecretName, secret_name)
}
This policy verifies that a given access to my-secret secrets are only done by credentials within credentials_list.

Default Allow, Deny Case-by-Case Policy Code

package main
import rego.v1 

default deny := false
credentials_list := ["my-credentials", "my-other-credentials"]
secret_name := "my-secret"
deny if {
    input.ActorIdentifier == credentials_list[_]
    contains(input.SecretName, secret_name)
}
This policy verifies that a given access to my-secret secrets are only done by credentials that are not within credentials_list.