HCP Packer adds bucket-level RBAC
You can now manage access at the bucket level in HCP Packer.
We are excited to announce that HCP Packer has released a new enhancement to its role-based access control (RBAC): bucket-level RBAC. With this new feature, organizations gain further control over their permissions management to mitigate security risks and practice the principle of least privilege.
»Access management challenges
HashiCorp Packer automates the process of building system and container images from a single source configuration. HCP Packer is a service that builds on Packer, enabling platform teams to manage and standardize the lifecycle of image artifacts across different clouds or on-premises environments.
In HCP Packer, users organize their images using buckets, which serve as a repository to store metadata for specific artifact versions. Previously, HCP Packer access roles could be defined only at the organizational or project level, which presented challenges for teams trying to strengthen security with a more-granular approach to access management.
Limited RBAC options meant admins might grant project access to individuals who didn’t fully require such permissions, resulting in a potential misalignment with their security and compliance policies. To avoid that situation, admins might have had to set up a separate project, adding further complexity to their image workflows and slowing down their development teams. Getting around this limitation called for a more tiered approach to access control in HCP Packer.
»Enabling granular access control
With the latest release, HCP Packer users can now define user access at the bucket level. With this, developers can create buckets within the same project to gain functionality like ancestry tracking and multi-level revocation without needing full project access. Admins can now assign specific permission at the bucket level for actions such as creating, updating, and deleting artifact versions and more:
| Permissions | Viewer | Contributor | Admin |
| View bucket | ✅ | ✅ | ✅ |
| Delete bucket | ❌ | ✅ | ✅ |
| Create versions | ❌ | ✅ | ✅ |
| Update versions | ❌ | ✅ | ✅ |
| Delete versions | ❌ | ✅ | ✅ |
| Manage bucket service principals | ❌ | ❌ | ✅ |
| Edit bucket permissions | ❌ | ❌ | ✅ |
| Manage group role for bucket | ❌ | ❌ | ✅ |
Table shows the capabilities of viewer, contributor, and admin roles for HCP Packer buckets
With this improvement, organizations can now ensure sensitive golden images remain protected from unauthorized modifications while giving developers the self-service capabilities they need to be agile and efficient.
»Learn more
For details on bucket-level RBAC and how to start mitigating risk with access management, check out the HCP Packer permissions documentation. To learn more about HCP Packer, visit the HCP Packer introduction page on HashiCorp Developer. And you can get started with HCP Packer for free to track and manage artifacts across all your cloud environments.
Sign up for the latest HashiCorp news
More blog posts like this one
HCP Packer now tracks CI/CD pipeline metadata
You can now see the CI/CD pipeline metadata associated with each image build in HCP Packer.
Manage your infrastructure lifecycle with new Terraform, Packer, Waypoint, and Nomad features
New Infrastructure Lifecycle Management (ILM) offerings from HashiCorp Terraform, Packer, Nomad, and Waypoint help organizations build, deploy, and manage infrastructure.
Standardize your cloud approach with Infrastructure Lifecycle Management
Build, deploy, and manage all of your infrastructure with a single workflow with Infrastructure Lifecycle Management solutions from HashiCorp.