Enable and Configure AuthZ in the GitHub Integration Plugin
AuthZ plugin overview
This feature enables AuthZ support for GitHub App accounts and provides these features:
Compliance and Security
Authz for GitHub App accounts allows you to enforce access controls on a per-account basis, securing access to specific repositories and/or GitHub organizations to only authorized groups/teams.
Authz for GitHub App accounts provides granular control over who can perform actions within each account. This fine-grained permission control is crucial for maintaining a least privilege principle, where users have only the necessary access to perform their tasks, reducing the overall security surface.
Authz for GitHub App accounts scales effectively as the number of accounts grows. This scalability is essential for organizations managing diverse and expanding infrastructure, ensuring that access controls remain manageable and effective.
Fiat is the Spinnaker microservice responsible for authorization (authz) for the other Spinnaker services. It is not enabled by default, so users are able to perform any action in Spinnaker. When enabled, Fiat checks the user’s permissions before allowing the action to proceed.
How this feature works
The GitHub Integration plugin supports Fiat authz for GitHub App accounts configured to determine whether a role or group can perform the following actions:
READ: A user can view the GitHub App account’s configuration and/or use it as a trigger source.
WRITE: A user can use the GitHub App account as the target account for the GitHub integration plugin stages.
sequenceDiagram participant user as User participant gate as Gate participant orca as Orca participant igor as Igor participant fiat as Fiat participant gh as GitHub user ->> gate: Start execution for pipeline (includes plugin stage) gate ->> orca: Submit execution for pipeline (includes plugin stage) orca ->> igor: Submit the task operations of plugin stage igor ->> fiat: Check hasPermissions alt Unauthorized fiat ->> igor: hasPermissions=false igor ->> orca: Fail with Forbidden orca ->> gate: TERMINAL else Authorized fiat ->> igor: hasPermissions=true igor ->> orca: IN_PROGRESS igor ->> gh: API calls orca ->> gate: IN_PROGRESS end
Before you begin
- You are familiar with how Spinnaker’s AuthZ works.
- You have read the GitHub Integration Plugin overview.
- You have enabled Fiat in your Spinnaker or Armory CD instance integrated with an external identity provider (IDP).
How to enable AuthZ support
You can enable AuthZ support per GitHub App account by setting the
permissions block in the
github-integration-plugin.yml file. For example:
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified December 12, 2023: (4f38446f)