Using resources
Read time: 6 minutes
Last edited: Nov 08, 2024
Overview
This topic explains how to specify different resources to use with custom roles, integrations access, and Relay Proxy access.
To learn more about how resources are structured within custom role policies, read Custom role concepts.
About the resource specifier syntax
LaunchDarkly uses a resource specifier syntax to name resources or collections of resources. This is a precise, flexible taxonomy that lets you identify and control any resource in your LaunchDarkly account.
The pattern to specify a resource looks like this:
The example above shows two tags separated by a comma. Tags are optional. It also shows a property-based selector. If you don't need to use any tags or selectors, you can omit the semicolon (;
) and all content following.
In the example below, we create a resource that names all of the projects in an account:
The resource syntax accepts globs and wildcards, so you can name collections of resources with *
. You can also name a specific project by its key.
In the example below, we name a project by the default
key.
You can name sets of resources down to the tag level.
In the example below, we name all projects with the mobile
tag.
To learn more, read Using the advanced editor.
Scoping resources
The term "scoping" refers to identifying resources in relation to other resources and the hierarchy of permissions that connects them.
Resources can be scoped within parent resources. For example, metrics are scoped within a project, and feature flags are scoped within a project and environment.
Name scoped resources by using the resource syntax structure depicted below:
In the following example, we name all feature flags across all environments:
In the example above, proj/*:
includes all named projects in the list of results. env/*:
includes all environments in the list of results. flag/*:
includes all flags in the list of results. This example will return very broad results because of how comprehensive its permissions are.
Member permissions are specific to each resource type, and different types do not share or inherit permissions. For example, if you set member permissions for a project with the ID default
using proj/default
, the member does not have the same permissions for the project's environments unless you also set member permissions for proj/default:env/*
.
For a more refined example, we could name all feature flags whose keys start with ops_
:
Finally, we could name all feature flags in critical environments:
About resource types and scopes
Here is a reference list of all the supported resources in LaunchDarkly, their scopes, the built-in role that has access to the resource, and the resource identifier, ordered by written expression:
Resource type | Resource scope | Built-in role access | Written expression | Resource identifier |
---|---|---|---|---|
acct |
| Owner | acct | Not applicable |
application |
| Writer | application/* | Application key |
code-reference-repository |
| Writer | code-reference-repository/* | Git repository name |
domain-verification |
| Owner or Admin | domain-verification/* | Domain ID |
integration |
| Writer | integration/* | Integration ID |
member |
| Owner or Admin | member/* | Member ID |
token |
| Reader | member/*:token/* | Personal access token ID |
pending-request |
| Owner or Admin | pending-request/* | Not applicable |
proj |
| Writer | proj/* | Project key |
aiconfig |
| Writer | proj/*:aiconfig/* | AI config key |
context-kind |
| Owner or Admin | proj/*:context-kind/* | Context kind key |
env |
| Writer | proj/*:env/* | Environment key |
destination |
| Writer | proj/*:env/*:destination/* | Data Export destination ID |
experiment |
| Writer | proj/*:env/*:experiment/* | Experiment key |
flag |
| Writer | proj/*:env/*:flag/* | Flag key |
holdout |
| Writer | proj/*:env/*:holdout/* | Holdout key |
segment |
| Writer | proj/*:env/*:segment/* | Segment key |
layer |
| Writer | proj/*:layer/* | Layer key |
metric |
| Writer | proj/*:metric/* | Metric key |
metric-group |
| Writer | proj/*:metric-group/* | Metric group key |
release-pipeline |
| Owner or Admin | proj/*:release-pipeline/* | Release pipeline key |
relay-proxy-config |
| Owner / Admin | relay-proxy-config/* | Relay Proxy configuration ID |
role |
| Owner or Admin | role/* | Role key |
service-token |
| Reader | service-token/* | Service token ID |
team |
| Owner or Admin | team/* | Team key |
template |
| Writer | template/* | Workflow template key |
webhook |
| Writer | webhook/* | Webhook ID |
For a list of all actions available to each resource, read Using actions. To learn more about how to create custom roles with access to these resources, read Creating custom roles.
user
resource is only relevant when working with older SDKsIf you are working with older SDKs, which do not yet support custom contexts, you can also reference the user
resource. The user
resource is scoped to a project and environment. It has one action, deleteUser
. This action allows you to delete context instances, including users, which appear as context instances on the Contexts list. To learn more, read Remove a context instance.
If you are working with SDKs that have been updated for custom contexts, the equivalent action is deleteContextInstance
, which is scoped to the environment resource. To learn more, read Environment actions.
We strongly encourage you to upgrade your SDKs to versions supporting contexts.