Auth Propagation in Spinnaker Pipelines

Overview of Authentication and Authorization in Spinnaker

Both Armory Continuous Deployment and Spinnaker^TM provide the same functionality for authentication (“authn”) and authorization (“authz”). You can find a full reference of how to set up both in the Spinnaker documentation.

Authorization & Manual Judgments

The Spinnaker docs explain that you can limit users’ access to both “accounts” and “applications” but doesn’t talk much about the interaction of the two.

In short, if you have access to an application, you can view the pipelines, and kick off a manual execution (even if you have “read only” access). However, if those pipelines need to do something in your cloud environments, you will still need to have read/write access to those environments. Since the pipeline will run its stages “as the user” that initiated the pipeline, the stages that attempt to write changes to the environment will fail if that user doesn’t have access to those environments.

There is one exception to this rule, and that is for Manual Judgment stages. You can configure a Manual Judgment stage to “Propagate Authentication”:

Checking this box will cause the pipeline to use the identity and authorizations of the user who approved the stage for all subsequent stages. By inserting a Manual Judgment stage with this option enabled into your pipeline before the actual deploy, you can allow users with limited access to kick off pipelines safely; a user with full access to the environment can then continue the pipeline successfully after approval.