Abbey Docs
  • 👋Welcome
  • Getting Started
    • Quickstart
    • Step-by-Step Tutorials
      • AWS: Managing Access to Identity Center Groups
      • AWS: Managing Access to Identity Center Permission Sets
      • AWS: Managing Access to IAM Groups
      • Azure AD: Managing Access to Groups
      • Confluent: Managing Access to Kafka ACLs
      • Databricks: Managing Access to Managed Tables in Unity Catalog
      • Databricks: Managing Access to Groups
      • GitHub: Managing Access to Teams
      • Google Cloud: Managing Access to Groups
      • Google Workspace: Managing Access to Google Groups
      • Kafka: Managing Access to ACLs
      • Okta: Managing Access to Groups
      • Postgres: Managing Access to Roles
      • Snowflake: Managing Access to Tables
      • Tabular: Managing Access to Apache Iceberg Roles
      • Tailscale: Managing Access to ACLs
      • Vault: Managing Access to Groups and Policies
      • Integrating Abbey with Terraform Cloud
      • Using Abbey with Atlantis
      • Using Abbey with Spacelift
    • Starter Kits
  • How Abbey Works
    • How Abbey Works
    • Key Concepts
  • Build a Grant Kit
    • Get a Starter Kit
    • Connect a Repo
    • Create a Grant Kit
    • Link Identities
    • Write Access Policies
    • Deploy Your Grant Kit
    • Request Access
    • Approve or Deny Access Requests
  • Use Cases
    • Time-Based Access
      • Expire After a Duration
      • Expire At a Specific Time
    • Approval Workflows
      • Using a Single Approval Step
      • Using Multiple Approval Steps
      • Conditionally Skip Approval Steps
  • Admin
    • User Roles
    • Sign-in and MFA
      • Sign-in Methods
      • Multifactor Authentication (MFA)
      • Enabling Single Sign-On
    • Sources
      • PagerDuty
      • Directory Sync
    • End User Notifications
    • Manage API Tokens
  • Reference
    • Grant Kits
      • Workflows
      • Policies
      • Outputs
    • Referencing Users and Groups
    • Linking Application Identities into Abbey
      • Why do I need to link application identities?
      • How do I Link Application Identities?
      • Supported Application Identity Types and Schemas
      • Application Data Object
    • Access Policies
      • Types of Access Policies
      • Policy Bundles
      • Inline Policies
      • Helper Functions
      • Policy Examples
    • Terms of Service
    • FAQ
      • Troubleshooting
  • Resources
    • Abbey Labs
    • Terraform Registry
    • GitHub
    • System Status
    • Privacy Policy
    • Logo
Powered by GitBook
On this page
  1. Build a Grant Kit

Deploy Your Grant Kit

PreviousWrite Access PoliciesNextRequest Access

Last updated 1 year ago

Once you have a and a , you can deploy your Grant Kit. You would typically do this through your CI.

If you created a Grant Kit using one of the , you'll already have GitHub Actions configured for you. You can use these or provide your own. Additionally, they use Terraform State hosted by Abbey, but it's recommended you point your state backends to your own, that way reducing security risk on your end from having state external to your infrastructure.

Deploy Your Grant Kit

You'll want to commit your grant kit changes to your . For most users, that will be the main branch.

To deploy, push to your default branch:

git push origin main

The deploy registers your resources with Abbey and effectively says "Hey Abbey, from this point forward, please manage permissions for these resources for me."

(Optional) Deploy without using CI

You can optionally deploy from your local machine without going through CI. To do this, you'll need to have Terraform installed. Once installed, you'll need to:

Initialize your Terraform configuration:

cd $PATH_TO_YOUR_CLONED_REPO
terraform init

(Optional) Plan your Terraform configuration:

You can optionally run terraform plan to get a sense of what changes would be made.

terraform plan -var-file=dev.tfvars

Before you deploy, make sure you push any changes to your repository. That way, Abbey has the latest changes when generating your Terraform output.

Deploy your Terraform configuration:

ABBEY_TOKEN=<your API token> TF_HTTP_USERNAME=<http backend username> TF_HTTP_PASSWORD=<abbey token> terraform apply -var-file=dev.tfvars

To use the same state backend as your CI/CD, your TF_HTTP_USERNAME can be found in your .github/workflows/abbey-grant-kit-materialize.yaml file. Your TF_HTTP_PASSWORD will be the same value as your ABBEY_TOKEN.

At this point, you should see your deployed grant kit under . If it's not showing up, it likely has a configuration issue causing the deployment to fail.

Go to your CI (or wherever you deploy Terraform) to check for any failed runs during the Terraform plan or apply steps.

If you're following the quickstart, this will be in your GitHub repo under the Actions tab i.e. https://github.com/{username|org-name}/{repo-name}/actions. Find the corresponding action run to the commit where you added the grant kit and see if it ran successfully. If it failed, open the run to see the failure exception.

A common deployment failure for grant kits is a misconfigured location field in the output block or bundle field in the policies block

  • Double check it starts with github://

  • Double check repository and username or org name is correct

  • Double check for any extra : or /'s

Grant Kit configured
repo connected
official Starter Kits
default branch in GitHub
app.abbey.io/resources