Approver groups

An approver group is a named set of approvers, such as group:sre. Define the group once and reference it wherever an approval is required, instead of listing people by name on every secret.

Bind a group to a path

Attach an approval policy to a path. The policy names its principals — one or more groups, named approvers, or a mix — and a quorum:

• any-of — any one named approver may countersign a release.
• M-of-N — a fixed number of approvers must countersign before a release proceeds.

Set the rule once as policy; every secret under the path inherits it. There is no per-secret approver assignment.

How inheritance resolves

Secrets stored under a bound path pick up that path’s policy automatically. When policies overlap, the most-specific path wins, so a rule on a deeper path overrides a broader one above it.

Changing membership

Add or remove people from a group, or edit the policy, and the change takes effect immediately. You do not re-encrypt existing secrets when membership changes — the same group reference now resolves to the new set of approvers.

Approver groups are available on Team plans and above.

See the two-person rule for M-of-N quorums, and access policies for who may ask for a release.