Access Policies

Policies are declared under access_policies: and referenced with access: policy:<name>.

Account-based policy:

access_policies:
  staff:
    accounts: [a@example.com, b@example.com]

Rule-based policy:

access_policies:
  office-or-token:
    any:
      - cidrs: [203.0.113.0/24]
      - token: ${TEAM_TOKEN}

A policy is exactly one type: accounts, any, or all. Conditions are exactly one of cidrs or token. Token secrets are hashed locally.