Access control

Least privilege, down to a single resource.

Terraform state is all-or-nothing: whoever can write the state can change anything in it, and remote state hands every consumer the whole file. Stategraph scopes every token to a set of capabilities on a set of resources — so people and pipelines get exactly the access they need, and nothing more.

Resource, state, or tenant scope Preview and commit, separately Least-privilege CI tokens

Get Started See it in action

State access is all-or-nothing

Terraform has no concept of partial access to a state. If you can write it, you can change every resource in it — and terraform_remote_state hands consumers the entire file. RBAC bolted onto a bucket answers "can you touch this state," never "which resources, and to do what."

Scoped to a slice of the graph

An illustrative scenario: two tokens on the same state. One can plan and apply within one module; the other is scoped to a different one. Each sees exactly what its capabilities allow.

                    whoami
                    platform team
                

❯ stategraph whoami
state: platform
capabilities:
  preview  module.network.*
  commit   module.network.*

                    whoami
                    ci · firewall pipeline
                

❯ stategraph whoami
state: platform
capabilities:
  preview  module.firewall.*
  commit   module.firewall.*

Same state. Different capabilities. No overlap.

                    ci $
                    firewall pipeline
                

❯ stategraph apply        # firewall token, change reaches module.network
Resolving change set…
✗ Denied: commit on module.network.db is outside this token's capabilities
# nothing was applied

Out of scope means denied, not partially applied.

Access that fits the change, not the file

// Terraform

1access stops at the state file

2write access means change anything

3remote state exposes every output

4RBAC is per-bucket, not per-resource

→ all-or-nothing

// Stategraph

1capabilities scoped to resources

2preview and commit are separate grants

3cross-state reads are field-level

4mint tokens with a subset of your access

→ least privilege by default

What you get

Scope to any level

Grant capabilities at the tenant, state, or resource level, with wildcards for a whole module subtree. The scope of a token is the ceiling on the blast radius it can cause.

Preview and commit, separately

Preview maps to plan, commit maps to apply. Hand reviewers preview-only access and keep commit for the people who own the change.

Least-privilege CI tokens

Scope a pipeline to read what it needs to build the graph and commit only its area of change. An automated run can't reach beyond its lane, which shrinks the blast radius of CI.

Delegate a subset

Users can mint tokens that carry a subset of their own capabilities, perfect for handing a narrow, scoped credential to an automated system.

Direct and downstream

Control not just what you change directly, but whether a change may propagate into the resources that depend on it. If it would touch something outside your capabilities, the whole operation is denied rather than half-applied.

Attributable by identity

Every operation is tied to who ran it, and an automated run can be constrained to the capabilities of the user it acts on behalf of. CI can't do more than the person behind it.

Scoped to the graph, not bolted onto a file. Because Stategraph stores state as a normalized graph, access is granted on nodes in that graph — specific resources, modules, or states — instead of all-or-nothing on a blob. Enterprise controls →

Give every token exactly what it needs

Stop handing out write access to an entire state because the tooling can't express anything smaller. Scope people and pipelines to the resources they actually touch.

Get Started Enterprise controls

See more in all features · blast radius →