Go to Chainguard.dev
Send feedback Contact
IAM & Organizations

Verified Organizations

An overview of how to verify your organization and the implications
Product Conceptual

Resources on the Chainguard platform are organized in a hierarchical structure called IAM Organizations. Single customers or organizations typically use a single root-level Organization to manage their Chainguard resources.

Organizations can optionally be verified. Verification modifies some aspects of the Chainguard platform user experience to help large organizations guide their user base to the correct resources.

Verifying your Organization

Verification is currently a manual process. To verify your organization, please contact your customer support contact. You can check if your organization is verified using chainctl.

chainctl iam organization ls -o json | jq

Verified organizations will have a field verified: true set.

[
  {
	"id": "f5a2c73d75a8d7fe666ecb623c79a2b771d78765",
	"name": "example.com",
	"resourceLimits": {
    	"clusters": 3,
    	"idps": 1
	},
	"verified": true
  }
]

Verified Organizations and Custom Identity providers

If you’ve configured a custom identity provider and your organization is verified, you can select your identity provider by providing the name of your organization when authenticating.

When authenticating with chainctl, the --org-name flag can be passed. Here, the command uses the example organization name example.com.

chainctl auth login --org-name example.com

As an alternative, you can set the organization name by editing the chainctl configuration file. You can do so with the following command.

chainctl config edit

This will open a text editor (nano, by default) where you can edit the local chainctl config. Add the following lines to this file.

default:
  org-name: example.com

You can also set this with a single command using the chainctl config set subcommand, as in this example.

chainctl config set default.org-name example.com

Once set, the configured identity provider will be used automatically any time you run chainctl auth login.

When authenticating via the Chainguard Console, your organization name is detected from your email address in most cases. If your organization name does not match your email domain, it can be input manually to select your custom identity provider.

Verified Organizations and Chainguard Containers

If you’ve purchased Chainguard Containers, your images are available via a private catalog. Your images are available to pull via cgr.dev/<org id>/<image name>, where <org id> is the unique identifier for your organization. Once your organization is verified, you can use the name of your organization instead of your organization identifier. For example, if your organization is named example.com and is verified, you can pull private images from your catalog with cgr.dev/example.com/<image name>.

Restrictions for Verified Organizations

Once an organization is verified, its name can be used interchangeably with the organization’s unique ID. Changes to the name can break image pulls from your private catalog and break authentication for users that have configured custom identity providers. For that reason, modifying the name of a verified organization is not currently possible. If you need to modify the name of your verified organization, please contact support.

Last updated: 2024-03-21 15:22

How to Manage Chainguard IAM Organizations Prev   Overview of Roles and Role-bindings in Chainguard   Next