You can request access using the CLI or the web application. There is a notable change in the Grant lifecycle compared to our open-source framework. Previously, in Glide, approved requests would be activated immediately. However, in asynchronous working environments, this posed challenges. For instance, if you requested access for a specific timeframe and the account owner was in a different timezone, you might miss the window of access.

Common Fate introduces a separate activation step after approval by the requestor. The following is the requesting access flow:

Using the CLI

List Available Roles

You can list the available entitlements with:

cf access list available

Request Access

You can request access to entitlements with:

cf access ensure --target AWS::Account::00123456789 --role AWSAdministratorAccess

Multiple --target and --role pairs can be specified to request access to multiple entitlements at once. If one entitlement needs approval and another is auto-approved, you’ll receive two Access Requests back. For example:

cf access ensure --target AWS::Account::00123456789 --role AWSAdministratorAccess --target GCP::Project::develop-123 --role Editor

In versions >=v3.9.0 the requested target and role will be added automatically to your ~/.aws/config file. To disable this function when requesting access include the --skip-local-config-update flag

Approve Request

Approve a pending access request:

cf access approve request --id req_2bK5UuJ9po73tgGmVRFPQGCA6vE

Activate Request

Re-run cf access ensure to activate access request:

cf access ensure --target GCP::Project::develop-123 --role Editor

The CLI indicates that access will be activated now. The user presses “Y” to confirm. Based on this, here are the meanings of the different states:

  • GRANT_STATUS_UNSPECIFIED: This represents the GRPC unspecified value for the enum. It should never be returned under normal operations.
  • GRANT_STATUS_PROVISIONING: Access is currently being provisioned.
  • GRANT_STATUS_PENDING: A grant exists, but it’s not yet active. If you encounter GRANT_STATUS_PENDING after running cf access ensure, manual review is required. Our CLI prints the request URL to stderr when run with the default output settings in this case.
  • GRANT_STATUS_ACTIVE: Access grant is active. If you see this status, you currently have access.
  • GRANT_STATUS_CLOSED: This indicates a grant that is no longer active.

Close Request

Close a request that is no longer needed by:

cf access close request --id req_2bK5UuJ9po73tgGmVRFPQGCA6vE

List Requests

List all access requests in your deployment with their details:

cf access list requests

For JSON output, use the --output json flag with respective commands.

Using Slack

Request Access

Navigate to your designated slack access channel, type /access, and select the Common Fate app.

Press enter after typing /access and you will be navigated to a pop-up through which you can select the resource type.

A request access form will appear. Follow these steps:

  1. Select the target resource.
  2. Choose the appropriate role.
  3. Provide a reason for your request.
  4. A dropdown menu will appear for the access duration. Select the appropriate duration.
  5. Click “Submit” to finalize your request.

Approve Request

Click the “Approve” button to approve the request:

Activate Request

Activation of approved access requests can only be done through the webapp.

Extend Request

Click the “Extend” button to extend the request:

Extensions on the access request are only permitted if the configuration is enabled. For setup instructions, refer to Enabling Access Request Extensions.

Close Request

Click the “Close” button to close the request:

Using the webapp

Request Access

  1. Navigate to the “Request” tab in the sidebar. Search for and select the target:

  2. Select the desired role:

  3. Review and provide the access reason. Click “Request Access”:

Approve Request

Navigate to the Access tab in the sidebar, locate the request, and click Approve:

Activate Request

Navigate to the Access tab in the sidebar, locate the request, and click Activate:

If breakglass access is enabled, you can activate it by checking the confirmation box. Once confirmed, click the “Activate” button to proceed:

Extend Request

Navigate to the Access tab in the sidebar, locate the request, and click Extend:

Extensions on the access request are only permitted if the configuration is enabled. For setup instructions, refer to Enabling Access Request Extensions.

Close Request

Navigate to the Access tab in the sidebar, locate the request, and click Close:

CLI QuickstartConfig TOML reference