ACLs: Allow access to topics using a claim expression - Policy

Allow access to topics using a claim expression

This ACL policy grants full access to all topics with the prefix in the topic_prefix claim.

For a complete tutorial on how to configure a Kong Identity auth server and claims, and reference the claim in the ACL policy, see Set up Kong Event Gateway with Kong Identity OAuth.

For more information on expressions in Kong Event Gateway, see the expressions reference.

Set up the policy

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/cluster-policies \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "acl_policy",
      "type": "acls",
      "config": {
        "rules": [
          {
            "resource_type": "topic",
            "action": "allow",
            "operations": [
              {
                "name": "describe"
              },
              {
                "name": "describe_configs"
              },
              {
                "name": "read"
              },
              {
                "name": "write"
              }
            ],
            "resource_names": "[context.auth.token.claims.topic_prefix + \"*\"]"
          }
        ]
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.

See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect-beta = {
      source  = "kong/konnect-beta"
    }
  }
}

provider "konnect-beta" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

resource "konnect_event_gateway_cluster_policy_acls" "my_virtual_cluster_policy_acls" {
  provider = konnect-beta
  type = "acls"
  config = {
    rules = [
      {
        resource_type = "topic"
        action = "allow"
        operations = [
          {
            name = "describe"
          }, 

          {
            name = "describe_configs"
          }, 

          {
            name = "read"
          }, 

          {
            name = "write"
          }        ]
        resource_names = "[context.auth.token.claims.topic_prefix + \"*\"]"
      }    ]
  }


  virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id

  gateway_id = konnect_event_gateway.my_event_gateway.id
}

Copied!

The following example creates a new acls policy.

Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:

event_gateway_policy.yaml

Copied!

event_gateways:
  - ref: eventGatewayName
    name: eventGatewayName
    virtual_clusters:
    - ref: virtualClusterName
      name: virtualClusterName
      cluster_policies:
      - ref: acl_policy
        type: acls
        acls:
          name: acl_policy
          config:
            rules:
            - resource_type: topic
              action: allow
              operations:
              - name: describe
              - name: describe_configs
              - name: read
              - name: write
              resource_names: '[context.auth.token.claims.topic_prefix + "*"]'

Make sure to replace the following placeholders with your own values:

eventGatewayName: The name of your Event Gateway.
virtualClusterName: The name of the Virtual Cluster.

ACLs

Allow access to topics using a claim expression

Set up the policy

Help us make these docs great!

Still need help?