Auth Propagation in Spinnaker Pipelines
Overview of Authentication and Authorization in Spinnaker
Both Armory and Open Source SpinnakerTM provide the same functionality for authentication (“authn”) and authorization (“authz”). You can find a full reference of how to set up both in the OSS Spinnaker documentation.
Authorization & Manual Judgments
The OSS docs explain that you can limit users’ access to both “accounts” and “applications” but doesn’t talk much about the interaction of the two.
In short, if you have access to an application, you can view the pipelines, and kick off a manual execution (even if you have “read only” access). However, if those pipelines need to do something in your cloud environments, you will still need to have read/write access to those environments. Since the pipeline will run its stages “as the user” that initiated the pipeline, the stages that attempt to write changes to the environment will fail if that user doesn’t have access to those environments.
There is one exception to this rule, and that is for Manual Judgment stages. You can configure a Manual Judgment stage to “Propagate Authentication”:
Checking this box will cause the pipeline to use the identity and authorizations of the user who approved the stage for all subsequent stages. By inserting a Manual Judgment stage with this option enabled into your pipeline before the actual deploy, you can allow users with limited access to kick off pipelines safely; a user with full access to the environment can then continue the pipeline successfully after approval.
Here are some other resources that may help you properly configure security in Spinnaker:
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified December 10, 2021: (556c295)