Expire After a Duration

In this guide, you'll learn how you can configure a Grant Kit to automatically revoke access to a grant after some duration. You'll do this by importing and using an expiration policy Abbey provides out-of-the-box.

We will be using the Quickstart as a base and modify it to this use case.

Step 1: Add a Directory for Your Policy

In your repo, add a directory to put your policies.

+ policies/
+   .manifest
+   common.rego

Abbey will automatically build your policies for you using the standard Open Policy Agent (OPA) CLI via opa build.

Step 2: Configure Your Manifest and Policy

First, configure your Manifest in your .manifest file. This will tell the Policy Engine where your policy file is located.

+ {"roots": ["common"]}

Next, write your policy using Abbey's expiration helper functions.

package common

import data.abbey.functions

allow[msg] {
  msg := "granting access for 24 hours."

Abbey revokes grants in realtime. When 24 hours has passed, the grant will be revoked immediately.

Valid time units are "ns", "us" (or "ยตs"), "ms", "s", "m", "h".

Step 3: Add Your Policy

Now that you have your policy set up, you can add it to your Grant Kit.

resource "abbey_grant_kit" "null_grant" {
+  policies = [
+    {
+      bundle = "github://example-org/example-repo/policies"
+    }
+  ]


Last updated