Skip to main content

Provider

A provider configuration is required when we want to register a provider instance to Guardian.

YAML representation

id: "fcbfd47a-7dc4-4d3a-aff1-97ea7b205ac4"
type: "bigquery"
urn: "test-bq-urn"
config:
type: "bigquery"
urn: "test-bq-urn"
appeal:
allow_permanent_access: false
allow_active_access_extension_in: 24h
resources:
- type: "dataset"
filter: $resource.name == 'playground'
policy:
id: "my-policy"
version: 1
roles:
id: "viewer"
name: "Viewer"
permissions:
- "READER"
allowed_account_types:
- user
created_at: "2021-10-26T09:29:48.838203Z"
updated_at: "2022-10-26T07:41:52.676004Z"

Provider

FieldTypeDescription
idstringProvider unique identifier
typestringProvider type
urnstringUnique provider URN
configobject(ProviderConfig)Provider Configuration
created_atstringTimestamp when the provider created.
updated_atstringTimestamp when the provider last modified.

ProviderConfig

FieldTypeDescriptionRequired
typestringThis field conatains the name of the Resource Provider

Possible values can be:
- BigQuery : bigquery
- Google Cloud Storage : gcs
- Tableau : tableau
- Grafana : grafana
- Metabase : metabase
- Google Cloud IAM : gcloud_iam
- No-Op : noop
Yes
urnstringProvider instance identifierYes
allowed_account_types[string]Optional. List of allowed account types. Each provider could have different account types, but user account type is applicable for any provider typeNo
credentialsobjectCredentials required to setup connection and access the provider

Possible values:
BigQuery: object(BigQuery)
Google Cloud Storage : object(GCS)
Metabase: object(Metabase)
Tableau: object(Tableau)
Grafana:object(Grafana)
Google Cloud IAM: object(GCloudIAM)
No-Op: Nil
Yes
appealobject(AppealConfig)Contains details of the tenure for which an access for a resource is provided. Contains two fields allow_permanent_access and allow_active_access_extension_in for permanent access and time before which the user can appeal for an extentionYes
resources[object(ResourceConfig)]Contains the configurations for each resource . The fields type and policy stores the type of resource and the policy associated with it. Roles conatins the role (say Viewer, Editor, Writer) which the resource supportsYes
parametersobject(ProviderParameter)Optional. Contains the parameters for the provider.No

AppealConfig

FieldTypeDescriptionRequired
allow_permanent_accessbooleanSet this to true if you want to allow users to have permanent access to the resources. Default: falseNo
allow_active_access_extension_instringDuration before the access expiration date when the user allowed to create appeal to the same resource (extend their current access).No

ResourceConfig

FieldTypeDescriptionRequired
typestringPossible values for the Resource Type:
- BigQuery: string(BigQuery)
- Google Cloud Storage: string(GCS)
- Metabase: string(Metabase)
- Graffana: string(Graffana)
- Tableau: string(Tableau)
- Google Cloud IAM: string(GCloudIAM)
- No-Op: string(No-Op)
Yes
filterstringFilter condition to add a specific set of resources match with condition. Example: filter: $name endsWith transactionNo
policyobject(id: string, version: int)Approval policy config that want to be applied to this resource config. Example: id: approval_policy_x, version: 1Yes
roles[]object(Role)List of resource permissions mappingYes

Role

FieldTypeDescriptionRequired
idstringRole identifierYes
namestringDisplay name for role
permissions[]object or stringSet of permissions that will be granted to the requested resource.
Possible values for Resource Permissions :
- BigQuery: object(BigQuery)
- Google Cloud Storage: object(GCS)
- Metabase: object(Metabase)
- Grafana: object(Grafana)
- Tableau: object(Tableau)
- Google Cloud IAM: object(GCloudIAM)
- No-Op : Nil
Yes

ProviderParameter

FieldTypeDescriptionRequired
keystringThe key is unique identifier for the parameterYes
labelstringThe label is used to display the parameter in the UIYes
requiredbooleanIndicates whether the parameter is required or notYes
descriptionstringThe description of the parameterNo