Barbican Sample Policy

The following is a sample Barbican policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific Barbican APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.

The sample policy file can also be viewed in file form.

#"system_reader": "role:reader and system_scope:all"

#"system_admin": "role:admin and system_scope:all"

#"secret_project_match": "project_id:%(target.secret.project_id)s"

#"secret_project_reader": "role:reader and rule:secret_project_match"

#"secret_project_member": "role:member and rule:secret_project_match"

#"secret_project_admin": "role:admin and rule:secret_project_match"

#"secret_owner": "user_id:%(target.secret.creator_id)s"

#"secret_is_not_private": "True:%(target.secret.read_project_access)s"

#"secret_acl_read": "'read':%(target.secret.read)s"

#"container_project_match": "project_id:%(target.container.project_id)s"

#"container_project_member": "role:member and rule:container_project_match"

#"container_project_admin": "role:admin and rule:container_project_match"

#"container_owner": "user_id:%(target.container.creator_id)s"

#"container_is_not_private": "True:%(target.container.read_project_access)s"

#"container_acl_read": "'read':%(target.container.read)s"

#"order_project_match": "project_id:%(target.order.project_id)s"

#"order_project_member": "role:member and rule:order_project_match"

#"audit": "role:audit"

#"observer": "role:observer"

#"creator": "role:creator"

#"admin": "role:admin"

#"service_admin": "role:key-manager:service-admin"

#"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"

#"all_but_audit": "rule:admin or rule:observer or rule:creator"

#"admin_or_creator": "rule:admin or rule:creator"

#"secret_creator_user": "user_id:%(target.secret.creator_id)s"

#"secret_private_read": "'False':%(target.secret.read_project_access)s"

#"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"

#"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"

#"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"

#"secret_project_creator_role": "rule:creator and rule:secret_project_match"

#"container_private_read": "'False':%(target.container.read_project_access)s"

#"container_creator_user": "user_id:%(target.container.creator_id)s"

#"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"

#"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"

#"container_project_creator_role": "rule:creator and rule:container_project_match"

# Retrieve the ACL settings for a given secret.If no ACL is defined
# for that secret, then Default ACL is returned.
# GET  /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret_acls:get":"rule:all_but_audit and rule:secret_project_match"
# has been deprecated since W in favor of
# "secret_acls:get":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Delete the ACL settings for a given secret.
# DELETE  /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret_acls:delete":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_acls:delete":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Create new, replaces, or updates existing ACL for a given secret.
# PUT  /v1/secrets/{secret-id}/acl
# PATCH  /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:put_patch": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret_acls:put_patch":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_acls:put_patch":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Retrieve the ACL settings for a given container.
# GET  /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))"

# DEPRECATED
# "container_acls:get":"rule:all_but_audit and
# rule:container_project_match" has been deprecated since W in favor
# of "container_acls:get":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Delete ACL for a given container. No content is returned in the case
# of successful deletion.
# DELETE  /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))"

# DEPRECATED
# "container_acls:delete":"rule:container_project_admin or
# rule:container_project_creator or
# (rule:container_project_creator_role and
# rule:container_non_private_read)" has been deprecated since W in
# favor of "container_acls:delete":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Create new or replaces existing ACL for a given container.
# PUT  /v1/containers/{container-id}/acl
# PATCH  /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:put_patch": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))"

# DEPRECATED
# "container_acls:put_patch":"rule:container_project_admin or
# rule:container_project_creator or
# (rule:container_project_creator_role and
# rule:container_non_private_read)" has been deprecated since W in
# favor of "container_acls:put_patch":"True:%(enforce_new_defaults)s
# and (rule:container_project_admin or (rule:container_project_member
# and rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# DEPRECATED: show information for a specific consumer
# GET  /v1/containers/{container-id}/consumers/{consumer-id}
# Intended scope(s): project, system
#"consumer:get": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)"

# DEPRECATED
# "consumer:get":"rule:admin or rule:observer or rule:creator or
# rule:audit or rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read" has been deprecated since W in favor of
# "consumer:get":"True:%(enforce_new_defaults)s and (rule:system_admin
# or rule:container_project_admin or (rule:container_project_member
# and rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private) or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# List a containers consumers.
# GET  /v1/containers/{container-id}/consumers
# Intended scope(s): project, system
#"container_consumers:get": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)"

# DEPRECATED
# "container_consumers:get":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read" has been deprecated since W in favor of
# "container_consumers:get":"True:%(enforce_new_defaults)s and
# (rule:system_admin or rule:container_project_admin or
# (rule:container_project_member and rule:container_owner) or
# (rule:container_project_member and  rule:container_is_not_private)
# or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Creates a consumer.
# POST  /v1/containers/{container-id}/consumers
# Intended scope(s): project, system
#"container_consumers:post": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)"

# DEPRECATED
# "container_consumers:post":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read " has been deprecated since W in favor of
# "container_consumers:post":"True:%(enforce_new_defaults)s and
# (rule:system_admin or rule:container_project_admin or
# (rule:container_project_member and rule:container_owner) or
# (rule:container_project_member and  rule:container_is_not_private)
# or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Deletes a consumer.
# DELETE  /v1/containers/{container-id}/consumers
# Intended scope(s): project, system
#"container_consumers:delete": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)"

# DEPRECATED
# "container_consumers:delete":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read " has been deprecated since W in favor of
# "container_consumers:delete":"True:%(enforce_new_defaults)s and
# (rule:system_admin or rule:container_project_admin or
# (rule:container_project_member and rule:container_owner) or
# (rule:container_project_member and  rule:container_is_not_private)
# or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# List consumers for a secret.
# GET  /v1/secrets/{secret-id}/consumers
# Intended scope(s): project, system
#"secret_consumers:get": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"

# DEPRECATED
# "secret_consumers:get":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_consumers:get":"True:%(enforce_new_defaults)s and
# (rule:system_admin or rule:secret_project_admin or
# (rule:secret_project_member and rule:secret_owner) or
# (rule:secret_project_member and rule:secret_is_not_private) or
# rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Creates a consumer.
# POST  /v1/secrets/{secrets-id}/consumers
# Intended scope(s): project, system
#"secret_consumers:post": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"

# DEPRECATED
# "secret_consumers:post":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_consumers:post":"True:%(enforce_new_defaults)s and
# (rule:system_admin or rule:secret_project_admin or
# (rule:secret_project_member and rule:secret_owner) or
# (rule:secret_project_member and rule:secret_is_not_private) or
# rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Deletes a consumer.
# DELETE  /v1/secrets/{secrets-id}/consumers
# Intended scope(s): project, system
#"secret_consumers:delete": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"

# DEPRECATED
# "secret_consumers:delete":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_consumers:delete":"True:%(enforce_new_defaults)s and
# (rule:system_admin or rule:secret_project_admin or
# (rule:secret_project_member and rule:secret_owner) or
# (rule:secret_project_member and rule:secret_is_not_private) or
# rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Creates a container.
# POST  /v1/containers
# Intended scope(s): project
#"containers:post": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "containers:post":"rule:admin_or_creator" has been deprecated since
# W in favor of "containers:post":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Lists a projects containers.
# GET  /v1/containers
# Intended scope(s): project
#"containers:get": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "containers:get":"rule:all_but_audit" has been deprecated since W in
# favor of "containers:get":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Retrieves a single container.
# GET  /v1/containers/{container-id}
# Intended scope(s): project
#"container:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)"

# DEPRECATED
# "container:get":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read" has been deprecated since W in favor of
# "container:get":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private) or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Deletes a container.
# DELETE  /v1/containers/{uuid}
# Intended scope(s): project
#"container:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))"

# DEPRECATED
# "container:delete":"rule:container_project_admin or
# rule:container_project_creator" has been deprecated since W in favor
# of "container:delete":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Add a secret to an existing container.
# POST  /v1/containers/{container-id}/secrets
# Intended scope(s): project
#"container_secret:post": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))"

# DEPRECATED
# "container_secret:post":"rule:container_project_admin or
# rule:container_project_creator or
# rule:container_project_creator_role and
# rule:container_non_private_read" has been deprecated since W in
# favor of "container_secret:post":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Remove a secret from a container.
# DELETE  /v1/containers/{container-id}/secrets/{secret-id}
# Intended scope(s): project
#"container_secret:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))"

# DEPRECATED
# "container_secret:delete":"rule:container_project_admin or
# rule:container_project_creator or
# rule:container_project_creator_role and
# rule:container_non_private_read" has been deprecated since W in
# favor of "container_secret:delete":"True:%(enforce_new_defaults)s
# and (rule:container_project_admin or (rule:container_project_member
# and rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Gets list of all orders associated with a project.
# GET  /v1/orders
# Intended scope(s): project
#"orders:get": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "orders:get":"rule:all_but_audit" has been deprecated since W in
# favor of "orders:get":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Creates an order.
# POST  /v1/orders
# Intended scope(s): project
#"orders:post": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "orders:post":"rule:admin_or_creator" has been deprecated since W in
# favor of "orders:post":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Unsupported method for the orders API.
# PUT  /v1/orders
# Intended scope(s): project
#"orders:put": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "orders:put":"rule:admin_or_creator" has been deprecated since W in
# favor of "orders:put":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Retrieves an orders metadata.
# GET  /v1/orders/{order-id}
# Intended scope(s): project
#"order:get": "True:%(enforce_new_defaults)s and rule:order_project_member"

# DEPRECATED
# "order:get":"rule:all_users and
# project_id:%(target.order.project_id)s" has been deprecated since W
# in favor of "order:get":"True:%(enforce_new_defaults)s and
# rule:order_project_member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Deletes an order.
# DELETE  /v1/orders/{order-id}
# Intended scope(s): project
#"order:delete": "True:%(enforce_new_defaults)s and rule:order_project_member"

# DEPRECATED
# "order:delete":"rule:admin and
# project_id:%(target.order.project_id)s" has been deprecated since W
# in favor of "order:delete":"True:%(enforce_new_defaults)s and
# rule:order_project_member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# List quotas for the project the user belongs to.
# GET  /v1/quotas
# Intended scope(s): project
#"quotas:get": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "quotas:get":"rule:all_users" has been deprecated since W in favor
# of "quotas:get":"True:%(enforce_new_defaults)s and role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# List quotas for the specified project.
# GET  /v1/project-quotas
# GET  /v1/project-quotas/{uuid}
# Intended scope(s): system
#"project_quotas:get": "True:%(enforce_new_defaults)s and rule:system_reader"

# DEPRECATED
# "project_quotas:get":"rule:service_admin" has been deprecated since
# W in favor of "project_quotas:get":"True:%(enforce_new_defaults)s
# and rule:system_reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Create or update the configured project quotas for the project with
# the specified UUID.
# PUT  /v1/project-quotas/{uuid}
# Intended scope(s): system
#"project_quotas:put": "True:%(enforce_new_defaults)s and rule:system_admin"

# DEPRECATED
# "project_quotas:put":"rule:service_admin" has been deprecated since
# W in favor of "project_quotas:put":"True:%(enforce_new_defaults)s
# and rule:system_admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Delete the project quotas configuration for the project with the
# requested UUID.
# DELETE  /v1/quotas}
# Intended scope(s): system
#"project_quotas:delete": "True:%(enforce_new_defaults)s and rule:system_admin"

# DEPRECATED
# "project_quotas:delete":"rule:service_admin" has been deprecated
# since W in favor of
# "project_quotas:delete":"True:%(enforce_new_defaults)s and
# rule:system_admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# metadata/: Lists a secrets user-defined metadata. || metadata/{key}:
# Retrieves a secrets user-added metadata.
# GET  /v1/secrets/{secret-id}/metadata
# GET  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"

# DEPRECATED
# "secret_meta:get":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_meta:get":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Adds a new key/value pair to the secrets user-defined metadata.
# POST  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:post": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret_meta:post":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_meta:post":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# metadata/: Sets the user-defined metadata for a secret ||
# metadata/{key}: Updates an existing key/value pair in the secrets
# user-defined metadata.
# PUT  /v1/secrets/{secret-id}/metadata
# PUT  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:put": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret_meta:put":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_meta:put":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Delete secret user-defined metadata by key.
# DELETE  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret_meta:delete":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_meta:delete":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Retrieve a secrets payload.
# GET  /v1/secrets/{uuid}/payload
# Intended scope(s): project
#"secret:decrypt": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"

# DEPRECATED
# "secret:decrypt":"rule:secret_decrypt_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret:decrypt":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Retrieves a secrets metadata.
# GET  /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"

# DEPRECATED
# "secret:get":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret:get":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Add the payload to an existing metadata-only secret.
# PUT  /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:put": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret:put":"rule:admin_or_creator and rule:secret_project_match"
# has been deprecated since W in favor of
# "secret:put":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Delete a secret by uuid.
# DELETE  /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

# DEPRECATED
# "secret:delete":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# not rule:secret_private_read)" has been deprecated since W in favor
# of "secret:delete":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Creates a Secret entity.
# POST  /v1/secrets
# Intended scope(s): project
#"secrets:post": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "secrets:post":"rule:admin_or_creator" has been deprecated since W
# in favor of "secrets:post":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Lists a projects secrets.
# GET  /v1/secrets
# Intended scope(s): project
#"secrets:get": "True:%(enforce_new_defaults)s and role:member"

# DEPRECATED
# "secrets:get":"rule:all_but_audit" has been deprecated since W in
# favor of "secrets:get":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Get list of available secret store backends.
# GET  /v1/secret-stores
# Intended scope(s): project, system
#"secretstores:get": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "secretstores:get":"rule:all_users" has been deprecated since W in
# favor of "secretstores:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Get a reference to the secret store that is used as default secret
# store backend for the deployment.
# GET  /v1/secret-stores/global-default
# Intended scope(s): project, system
#"secretstores:get_global_default": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "secretstores:get_global_default":"rule:all_users" has been
# deprecated since W in favor of
# "secretstores:get_global_default":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Get a reference to the preferred secret store if assigned
# previously.
# GET  /v1/secret-stores/preferred
# Intended scope(s): project, system
#"secretstores:get_preferred": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "secretstores:get_preferred":"rule:all_users" has been deprecated
# since W in favor of
# "secretstores:get_preferred":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Set a secret store backend to be preferred store backend for their
# project.
# POST  /v1/secret-stores/{ss-id}/preferred
# Intended scope(s): project
#"secretstore_preferred:post": "True:%(enforce_new_defaults)s and role:admin"

# DEPRECATED
# "secretstore_preferred:post":"rule:admin" has been deprecated since
# W in favor of
# "secretstore_preferred:post":"True:%(enforce_new_defaults)s and
# role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Remove preferred secret store backend setting for their project.
# DELETE  /v1/secret-stores/{ss-id}/preferred
# Intended scope(s): project
#"secretstore_preferred:delete": "True:%(enforce_new_defaults)s and role:admin"

# DEPRECATED
# "secretstore_preferred:delete":"rule:admin" has been deprecated
# since W in favor of
# "secretstore_preferred:delete":"True:%(enforce_new_defaults)s and
# role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Get details of secret store by its ID.
# GET  /v1/secret-stores/{ss-id}
# Intended scope(s): project, system
#"secretstore:get": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "secretstore:get":"rule:all_users" has been deprecated since W in
# favor of "secretstore:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Get a specific transport key.
# GET  /v1/transport_keys/{key-id}}
# Intended scope(s): project, system
#"transport_key:get": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "transport_key:get":"rule:all_users" has been deprecated since W in
# favor of "transport_key:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Delete a specific transport key.
# DELETE  /v1/transport_keys/{key-id}
# Intended scope(s): system
#"transport_key:delete": "True:%(enforce_new_defaults)s and rule:system_admin"

# DEPRECATED
# "transport_key:delete":"rule:service_admin" has been deprecated
# since W in favor of
# "transport_key:delete":"True:%(enforce_new_defaults)s and
# rule:system_admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Get a list of all transport keys.
# GET  /v1/transport_keys
# Intended scope(s): project, system
#"transport_keys:get": "True:%(enforce_new_defaults)s and role:reader"

# DEPRECATED
# "transport_keys:get":"rule:all_users" has been deprecated since W in
# favor of "transport_keys:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.

# Create a new transport key.
# POST  /v1/transport_keys
# Intended scope(s): system
#"transport_keys:post": "True:%(enforce_new_defaults)s and rule:system_admin"

# DEPRECATED
# "transport_keys:post":"rule:service_admin" has been deprecated since
# W in favor of "transport_keys:post":"True:%(enforce_new_defaults)s
# and rule:system_admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.