Docs / Security / RBAC & Secrets

🔑 RBAC & Secrets Management

Granular access control and enterprise-grade secret lifecycle management for secure, compliant cloud deployments.

📅 Updated: Oct 24, 2025 ⏱ī¸ 8 min read 🛡ī¸ Enterprise & Pro Plans

CloudNexus provides a unified security model combining Role-Based Access Control (RBAC) and a native Secrets Manager with optional HashiCorp Vault integration. This ensures principle-of-least-privilege access while automatically encrypting, rotating, and injecting credentials across your infrastructure.

ℹī¸

Note: RBAC policies evaluate in <2ms using our edge-accelerated policy engine. Secrets are encrypted at rest using AES-256-GCM and in transit via TLS 1.3.

RBAC Architecture

CloudNexus RBAC follows a declarative model where permissions are attached to roles, and roles are bound to identities (users, service accounts, or workload identities). Policy evaluation occurs at the API gateway layer before reaching backend services.

Roles & Bindings

Roles define permission sets for specific resource types. Bindings map those roles to subjects. You can create custom roles or use built-in presets:

Built-in RoleScopePermissions
cn-adminGlobalFull CRUD, IAM management, billing access
cn-developerProjectDeploy, read logs, manage secrets (read-only)
cn-opsCluster/RegionScale, patch, monitor, backup/restore
cn-auditorRead-onlyView policies, access logs, compliance reports

Policy Evaluation

Policies are evaluated using ABAC+RBAC hybrid logic. Contextual attributes (IP, time, resource tags) can conditionally allow/deny actions even when a role permits them. Example:

Policy Evaluation Logic
allow if {
  input.action == "secrets.write"
  input.resource.tags.env == "production"
  input.identity.groups in ["platform-team", "security-admins"]
  input.request.ip in cidr_netmask("10.0.0.0/8")
}

Secrets Lifecycle

Secrets in CloudNexus are versioned, encrypted, and injected dynamically into workloads. The lifecycle includes:

  • Creation & Versioning: Every update creates a new immutable version. Rollback is instantaneous.
  • Dynamic Secrets: Database credentials, API keys, and cloud tokens are generated on-demand with TTLs.
  • Injection: Secrets are mounted as environment variables, volume mounts, or Kubernetes Secret objects.
  • Rotation: Automatic or policy-driven rotation with zero downtime.
⚠ī¸

Security Warning: Never hardcode secrets in source code or container images. Use CloudNexus secret injection or CI/CD pipeline variables.

Vault Integration

For enterprises requiring external secret backends, CloudNexus integrates natively with HashiCorp Vault. Secrets can be sourced from Vault, synchronized via webhook, or used as a fallback provider. TLS mutual authentication is enforced between CloudNexus edge nodes and Vault clusters.

Auto-Rotation

Configure rotation policies per secret or globally via IAM policies. CloudNexus handles credential refresh, application health checks, and safe rollouts to avoid breaking connections.

Configuration Examples

RBAC Policy YAML

cn-rbac-policy.yaml
apiVersion: cloudnexus.io/v1
kind: RBACPolicy
metadata:
  name: deploy-team-production
  namespace: prod-cluster-01
spec:
  subjects:
    - type: Group
      name: deploy-team
  roles:
    - cn-developer
  conditions:
    ipRange: "203.0.113.0/24"
    timeWindow: "Mon-Fri 08:00-18:00 UTC"
  resources:
    - apiGroups: ["", "apps"]
      resources: ["deployments", "services", "pods"]
      verbs: ["get", "list", "create", "update", "patch"]

Secret Injection (Kubernetes)

deployment-secret-injection.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-gateway
spec:
  template:
    spec:
      containers:
        - name: api
          image: cloudnexus/api:v2.4.1
          envFrom:
            - secretRef:
                name: cn-managed:prod-db-credentials
            - secretRef:
                name: cn-managed:jwt-signing-key
          env:
            - name: DB_HOST
              value: "postgres-primary.cn.internal"

Best Practices

💡

Recommendation: Follow the principle of least privilege. Audit permissions quarterly and rotate secrets automatically.

  1. Use Workload Identities instead of long-lived static keys for microservices.
  2. Enable MFA + IP Allowlisting for all administrative roles.
  3. Tag Secrets by Environment (dev, staging, prod) and enforce cross-environment isolation.
  4. Monitor Access Logs via CloudNexus Audit Trail. Alert on anomalous secret access patterns.
  5. Prefer Dynamic Secrets for databases and third-party APIs to reduce blast radius.

API & SDK Support

Full REST and GraphQL APIs are available for programmatic management of roles, bindings, and secrets. Official SDKs for Go, Python, and Node.js include:

  • cn-sdk-go - Optimized for high-throughput rotation and policy sync
  • cn-sdk-python - Async support, CI/CD integration helpers
  • @cloudnexus/sdk-js - Deno/Node compatible, TypeScript definitions included

🔗 View RBAC API Reference | 🔗 View Secrets API Reference

Troubleshooting

Policy Denied (403 Forbidden): Verify subject mapping and check conditional restrictions. Use cn-cli rbac simulate --policy <name> --subject <id> to debug.

Secret Mount Failed: Ensure the workload identity has secrets.read permission. Check namespace scoping and DNS resolution for internal secret endpoints.

Vault Sync Delay: Default sync interval is 60s. Override with cn config set vault.sync-interval=10s for critical paths.

🛠ī¸

Need help? Open a support ticket via the console or join our Developer Discord.

"}