Third-party Building Block Definitions
complete
Jelle den Burger
As a Platform Engineer who is not part of the Cloud Foundation Team, I want to create resources inside a managed cloud tenant to provide my services to application teams. Therefore I need permissions to create the resources that are required for my service in the managed tenant. It would be great if this is possible completely in self-service.
J
Johannes Rudolph
marked this post as
complete
Update: Third-party Building Block access is now possible via Compositions + Ephemeral API Keys
We're closing this request as the solution landscape has shifted significantly and the use case is now addressable.
What's available now:
- Ephemeral API Keys: Your building block can automatically receive a short-lived, workspace-scoped API key during a run. This enables it to interact with the meshStack API (e.g., create nested building blocks or tenants) without admin permissions. See the guide: https://docs.meshcloud.io/guides/core/how-to-use-ephemeral-api-keys/
- Building Block Compositions: The Cloud Foundation team can publish an "access" Building Block Definition that deploys a role into the application team's tenant, scoped for your platform team's service principal to assume. Your BBD then includes this "access" BB as a mandatory dependency.
- Pre-run Scripts (OpenTofu): On Azure, where role definitions must exist before theazurermprovider authenticates, you can usetofu apply -targetin a pre-run script to set up role assignments in a first phase before the main apply runs.
How the pattern works:
- Cloud Foundation team creates an "access" BBD that grants the platform team's backplane a role in the application team's tenant.
- The platform team's BBD lists this "access" BB as a dependency (composition).
- Ephemeral API keys allow the platform team's BBD run to provision additional resources without needing permanent admin credentials.
We're closing this request as sufficiently solved. If your specific use case isn't covered by this pattern, we'd love to hear more — please open a new request with details about your scenario so we can continue improving. You can also reach out to support@meshcloud.io.
Jelle den Burger
Just a quick update that this topic will not be in focus for us at least until after Q1 2025. Let me know what use cases you have planned on this topic and we can reconsider.