Adding Members
Streamlined process for adding new team members to kiln projects with appropriate access levels.
New Member Onboarding
Section titled “New Member Onboarding”Step 1: Key Generation
Section titled “Step 1: Key Generation”New member:
# Generate personal keykiln init key
# Or use existing SSH keyls ~/.ssh/id_*.pubStep 2: Public Key Sharing
Section titled “Step 2: Public Key Sharing”New member shares public key:
# Share age public keycat ~/.kiln/kiln.key.pub
# Or SSH public keycat ~/.ssh/id_ed25519.pubStep 3: Access Grant
Section titled “Step 3: Access Grant”Team admin adds member:
# Add to development firstkiln rekey --file development --add-recipient "newmember=ssh-ed25519 AAAAC3..."
# Add to staging when readykiln rekey --file staging --add-recipient "newmember=ssh-ed25519 AAAAC3..."Progressive Access Model
Section titled “Progressive Access Model”Development Access (Immediate)
Section titled “Development Access (Immediate)”# All new developers get development accesskiln rekey --file development --add-recipient "newdev=age1new...key"Staging Access (After 1-2 weeks)
Section titled “Staging Access (After 1-2 weeks)”# Proven team members get staging accesskiln rekey --file staging --add-recipient "newdev=age1new...key"
# Update groups for easier management# Edit kiln.toml:# [groups]# developers = ["alice", "bob", "newdev"]Production Access (Role-based)
Section titled “Production Access (Role-based)”# Only senior developers and adminskiln rekey --file production --add-recipient "senior-dev=age1senior...key"Automation Integration
Section titled “Automation Integration”CI/CD Access
Section titled “CI/CD Access”# Generate service account keykiln init key --path ./ci.key
# Add to production for deploymentskiln rekey --file production --add-recipient "ci-deploy=$(cat ./ci.key.pub)"
# Store private key in CI secrets# CI_KILN_PRIVATE_KEY=$(cat ./ci.key)Service Accounts
Section titled “Service Accounts”# Monitoring servicekiln rekey --file production --add-recipient "monitoring=age1monitor...key"
# Backup servicekiln rekey --file production --add-recipient "backup=age1backup...key"Bulk Member Addition
Section titled “Bulk Member Addition”Multiple New Hires
Section titled “Multiple New Hires”# Add multiple developers at oncekiln rekey --file development \ --add-recipient "dev1=ssh-ed25519 AAAAC3..." \ --add-recipient "dev2=age1234...abcd" \ --add-recipient "dev3=ssh-rsa AAAAB3..."Team Reorganization
Section titled “Team Reorganization”# Update groups after team changes[groups]frontend = ["alice", "newdev1", "newdev2"]backend = ["bob", "charlie", "newdev3"]devops = ["admin", "senior-dev"]Access Validation
Section titled “Access Validation”New Member Verification
Section titled “New Member Verification”# New member tests their accesskiln info --verify
# Test specific environmentskiln get DATABASE_URL --file developmentkiln export --file staging --format json >/dev/nullAdmin Verification
Section titled “Admin Verification”# Verify new member can access intended environmentsenvironments=("development" "staging")for env in "${environments[@]}"; do echo "Testing $env access for newmember:" if kiln info --file "$env" --key "keys/newmember.key" --verify 2>/dev/null; then echo " ✓ Access granted" else echo " ✗ Access denied" fidoneCommon Patterns
Section titled “Common Patterns”GitHub Integration
Section titled “GitHub Integration”# Fetch public keys from GitHubgithub_user="newdeveloper"kiln rekey --file development --add-recipient "$github_user=$(curl -s https://github.com/$github_user.keys | head -n1)"Role-Based Templates
Section titled “Role-Based Templates”# Junior developer templatejunior_envs=("development")
# Senior developer templatesenior_envs=("development" "staging")
# DevOps engineer templatedevops_envs=("development" "staging" "production")
for env in "${devops_envs[@]}"; do kiln rekey --file "$env" --add-recipient "newdevops=age1devops...key"doneError Recovery
Section titled “Error Recovery”Invalid Key Addition
Section titled “Invalid Key Addition”# If wrong key was added, generate new configurationkiln init config --force --recipients "correct-user=age1correct...key"
# Re-encrypt all files with corrected accessfor env in development staging production; do if [ -f "${env}.env" ]; then kiln rekey --file "$env" --add-recipient "correct-user=age1correct...key" fidoneAccess Verification Failures
Section titled “Access Verification Failures”# Debug access issueskiln info --file development --verify --verbose
# Check configuration consistencygrep -A 20 "\[recipients\]" kiln.tomlgrep -A 10 "\[files.development\]" kiln.tomlOffboarding Process
Section titled “Offboarding Process”Remove Access
Section titled “Remove Access”# Manual removal (requires configuration edit)# 1. Remove from [recipients] section# 2. Remove from [groups] if applicable# 3. Re-encrypt affected files
# Re-encrypt without removed memberfor env in staging production; do kiln export --file "$env" --format json > "/tmp/${env}-backup.json" # Remove recipient from kiln.toml kiln set --from-file "/tmp/${env}-backup.json" --file "$env"done