CircleCI Field Guide
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Introduction
  2. /
  3. Enforcing Policy
  4. /
  5. Restricting Credential Access by Project
Edit page

Restricting Credential Access by Project

Restrict Project Access

CircleCI Contexts can be designated for use by specific projects, and protected in CPM based on the project ID.

CircleCI Policy Playground showing resulting violation.
CircleCI Policy Playground showing resulting violation.
CircleCI Policy Playground showing passing condition for valid access.
CircleCI Policy Playground showing passing condition for valid access.

Sample CircleCI Configuration 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

version: 2.1

orbs:
  python: circleci/python@2.1.1

workflows:
  main:
    jobs:
      - python/test
      - deploy:
          name: Deploy
          requires: [ python/test ]
          context: [ no-my-context ] #Feature and Dev work use a dev context available to any branch
#
# Jobs included for valid config, replace with your own.
#

jobs:
  deploy:
    executor: python/default
    steps:
     - run: echo "Hello Governance!"

Sample CircleCI Policy in rego

Apply policy with our CLI.
circleci policy push ./directory --owner-id << ORGANIZATION_UUID >>

You can visit our Policy Playground to test various policy changes.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

package org

import future.keywords

# Each file is a single policy
policy_name["project_context_protection"]

valid_context_names := {"my-context", "this-context"}

# UUID for project to apply rule to
in_scope_projects := {"788dd296-2fca-4718-82f8-07db1637a58e"}


# May activate 1 to many rules
enable_rule["use_project_context_only"] {
  in_scope_projects[data.meta.project_id] #apply this rule only if our ID matched the current evaluated project (ignore oher projects)
}

# Rules default to SOFT_FAIL/WARNING, but can be a hard_fail/BLOCK
hard_fail["use_project_context_only"]

# Custom rule is a rego function that iterates config.yml object to compare branch with context use.
use_project_context_only[reason] {
  some wfName, workflow in input.workflows
  some job in workflow.jobs 
  some jobName, jobInfo in job
  some context in to_array(jobInfo.context)
 
  # Enforce a single context name
  # not regex.match("this-projects-context-name",context)
  # OR
  # Enforce list of contexts allowed
  not context_is_only_mine(context)

  # display this failure reason to user.
  reason := sprintf("You may not use ANOTHER PROJECT'S context: %s. Offending workflow.job: `%s.%s`",[context, wfName, job_name(jobName, jobInfo)])
}

# Helper functions

# Convert value to aray if it isn't one
to_array(value) := [value] if { not is_array(value) } else := value


# Use `name` if provided, otherwise use key name
job_name(jobName, jobInfo) := jobInfo.name if { jobInfo.name } else := jobName

# returns true if job only has branch.only and it is main
context_is_only_mine(context) := true { 
  context in valid_context_names
} else := false