Programmatic access to your Vect repository is performed using the API keys provided during onboarding. Out of the box, each API key has a repo-wide access without any restrictions and is allowed to all the data stored in your Vect repository. This behaviour can be modified, and granular, glob pattern based permissions model can be easily added to each of your API keys.
API keys permissions are stored and managed inside the authorization configuration file located at .vect/authorizations/api-keys and configured using the following structure:
{
<key-name-name>: {
"authorizedGlobPatterns": [<patterns>]
}
}
Each API key name found inside the file, will only have access to files matching one of the glob patterns configured for it inside authorizedGlobPatterns.
If an API key name is not found in the authorization configuration file, or if the authorization configuration file doesn’t exist, the API key will be able to access all the files listed under your Vect repository.
We support the entire glob syntax, making defining expressive and robust permissions models really easy, below are a few examples to get your started:
{
"acme-corp-2022v1-partial-access": {
"authorizedGlobPatterns": [
"**/prefix-*.json", // Access all files starting with prefix
"**/*-suffix.json", // Access all files ending with a suffix
".vect/configs/test.json" // Access to specific file only
]
},
"acme-corp-2022v1-full-access": {
"authorizedGlobPatterns": ["**"]
},
"acme-corp-2022v1-no-access": {
"authorizedGlobPatterns": []
}
}
Many times there’s a need to have environment based separation inside your Vect repository. To do so you can configure each of your API keys to have access only to the files relevant to a given environment.
For example, if production and development parameters are stored under the prod and dev directories respectively, and have two API keys acme-corp-2022v1-dev and acme-corp-2022v1-prod, you can configure the following permission model inside .vect/authorizations/api-keys:
{
"acme-corp-2022v1-dev": {
"authorizedGlobPatterns": ["dev/**"]
},
"acme-corp-2022v1-prod": {
"authorizedGlobPatterns": ["prod/**"]
}
}
This will ensure each API key has access only to its appropriate environment.