Skip to main content
Version: 1.5

wf assign role

wf assign role

Assigns a role to one more subjects in the workspace


Assignment lets workspace members assign a security policy to one more robots. A common example would be to create a robot and then assign a deployment role to the robot to permit deploying an application into the cluster. You cannot assign policies to human users—humans use role assumption rather than statically assigned policies (see wf assume --help).

Assignment policies are granted to workspace members by the workspace administrator, who has the rights to specify constraints on who can assign a policy to a robot, and any other requirements that must be met.

wf assign role [flags]


# Create a robot token and assign a policy to permit deployment to cluster A

$ wf create robot ci
$ wf assign role nsadmin --robot ci --cluster <cluster> --namespace <namespace>

# View the assignements that you can make
$ wf get assignments

# View all the roles that are available. Use -o yaml to view policy.
$ wf get roles --all


      --cluster string     Sets the cluster name of a role parameter
--dry-run Shows the resource but does not apply or create (defaults: false)
--expires duration Sets an expiration on the assignment
--group strings one or more workspaces to apply
-h, --help help for role
--namespace string Sets the namespace name of a role parameter
--robot strings One or more robots
--role strings One or more workspace roles to apply the role
--scope strings One or more subject scopes to apply the role
--subject strings One or more subjects to apply

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within


  • wf assign - Assign allows you to apply a policy, role or compliance package