Abbey Docs
  • 👋Welcome
  • Getting Started
    • Quickstart
    • Step-by-Step Tutorials
      • AWS: Managing Access to Identity Center Groups
      • AWS: Managing Access to Identity Center Permission Sets
      • AWS: Managing Access to IAM Groups
      • Azure AD: Managing Access to Groups
      • Confluent: Managing Access to Kafka ACLs
      • Databricks: Managing Access to Managed Tables in Unity Catalog
      • Databricks: Managing Access to Groups
      • GitHub: Managing Access to Teams
      • Google Cloud: Managing Access to Groups
      • Google Workspace: Managing Access to Google Groups
      • Kafka: Managing Access to ACLs
      • Okta: Managing Access to Groups
      • Postgres: Managing Access to Roles
      • Snowflake: Managing Access to Tables
      • Tabular: Managing Access to Apache Iceberg Roles
      • Tailscale: Managing Access to ACLs
      • Vault: Managing Access to Groups and Policies
      • Integrating Abbey with Terraform Cloud
      • Using Abbey with Atlantis
      • Using Abbey with Spacelift
    • Starter Kits
  • How Abbey Works
    • How Abbey Works
    • Key Concepts
  • Build a Grant Kit
    • Get a Starter Kit
    • Connect a Repo
    • Create a Grant Kit
    • Link Identities
    • Write Access Policies
    • Deploy Your Grant Kit
    • Request Access
    • Approve or Deny Access Requests
  • Use Cases
    • Time-Based Access
      • Expire After a Duration
      • Expire At a Specific Time
    • Approval Workflows
      • Using a Single Approval Step
      • Using Multiple Approval Steps
      • Conditionally Skip Approval Steps
  • Admin
    • User Roles
    • Sign-in and MFA
      • Sign-in Methods
      • Multifactor Authentication (MFA)
      • Enabling Single Sign-On
    • Sources
      • PagerDuty
      • Directory Sync
    • End User Notifications
    • Manage API Tokens
  • Reference
    • Grant Kits
      • Workflows
      • Policies
      • Outputs
    • Referencing Users and Groups
    • Linking Application Identities into Abbey
      • Why do I need to link application identities?
      • How do I Link Application Identities?
      • Supported Application Identity Types and Schemas
      • Application Data Object
    • Access Policies
      • Types of Access Policies
      • Policy Bundles
      • Inline Policies
      • Helper Functions
      • Policy Examples
    • Terms of Service
    • FAQ
      • Troubleshooting
  • Resources
    • Abbey Labs
    • Terraform Registry
    • GitHub
    • System Status
    • Privacy Policy
    • Logo
Powered by GitBook
On this page
  • Step 1: Add a Directory for Your Policy
  • Step 2: Configure Your Manifest and Policy
  • Step 3: Add Your Policy
  1. Use Cases
  2. Time-Based Access

Expire After a Duration

In this guide, you'll learn how you can configure a Grant Kit to automatically revoke access to a grant after some duration. You'll do this by importing and using an expiration policy Abbey provides out-of-the-box.

We will be using the Quickstart as a base and modify it to this use case.

Step 1: Add a Directory for Your Policy

In your repo, add a directory to put your policies.

/
.github/
+ policies/
+   .manifest
+   common.rego
.gitignore
.terraform.lock.hcl
LICENSE
README.md
access.tf
main.tf
outputs.tf
variables.tf

Abbey will automatically build your policies for you using the standard Open Policy Agent (OPA) CLI via opa build.

Step 2: Configure Your Manifest and Policy

First, configure your Manifest in your .manifest file. This will tell the Policy Engine where your policy file is located.

+ {"roots": ["common"]}

Next, write your policy using Abbey's expiration helper functions.

common.rego
package common

import data.abbey.functions

allow[msg] {
  functions.expire_after("24h")
  msg := "granting access for 24 hours."
}

Abbey revokes grants in realtime. When 24 hours has passed, the grant will be revoked immediately.

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Step 3: Add Your Policy

Now that you have your policy set up, you can add it to your Grant Kit.

main.tf
resource "abbey_grant_kit" "null_grant" {
  ...
  
+  policies = [
+    {
+      bundle = "github://example-org/example-repo/policies"
+    }
+  ]

  ...
}
PreviousTime-Based AccessNextExpire At a Specific Time

Last updated 1 year ago