Skip to main content
Version: 1.3

Assigning Roles

You can statically assign permissions to robot/service accounts using the wf assign CLI command. You cannot assign permissions to a human user.

Workspace administrators can control and constrain which permissions can be assigned to a robot, and who can perform those assignments. For information on how a workspace administrator configures this, see Creating Assignment Policies.

All policy assignments are controlled via the wf assign role command:

  • On issuing the command you are prompted for the role you wish to assign.
  • The next phase asks whom you wish to assign the permission to: a specific robot, all robots, etc.
  • If the role you are assigning requires parameters, these are requested.
  • Once all the parameters are assembled the request is passed to Wayfinder to verify and, if permitted, assign the permissions.

Assign a role​

Example use case: In this example, you need a robot for CI to build and deploy an application into the namespace.

To do this, you will:

  1. Create a robot.
  2. Assign permissions to the robot.

Create a robot​

In this example, you create a robot named app1.

To create a robot, run the following:

  1. Run the following:

    $ wf create robot app1 --show-config
    ✔ Please provides a description of use for this account: Robot used to deploy application 1█
    feature-gates:
      application_services: true
      monitoring_services: false
      services: true
    profiles:
      default:
        server: default
        workspace: devs
        user: default
    servers:
      default:
        server: http://localhost:10080
    users:
      default:
        wf-identity:
          refresh-token: <TOKEN>
    version: latest
    Note

    --show-config provides a convenience method producing a Wayfinder CLI configuration that can be copied as a whole into your chosen CI as a secret, or placed in a local file to test the robot.

Assign permissions to the robot​

To assign permissions to a robot, you run the wf assign role command and select a role, as shown in the following example:

To assign permissions to the robot:

  1. Run wf assign role, select the role and the robot, and respond to the prompts for parameters. The parameters depend on the role selected. Example:

    $ wf assign role
    ? Which role would you like to use?
      â–¸ cluster.deployment

    Name:cluster.deployment
    Owner:devs

    Provides a deployment permission set which can be used by robot
    accounts to deploy their applications in a namespace.
    Note the policy is intentionally locked down per namespace, per
    cluster to ensure use of a different token per application.

    In this example, you selected the cluster.deployment role, and the robot account app1 to assign the permissions to. Two parameters are required for this role, the cluster and namespace. Example response:

    $ wf assign role
    ✔ You have choosen the role: "cluster.deployment"
    ✔ Policy will apply to robot: app1
    ✔ This role has a number of 2 parameters associated
    â—‰ The role has a required value: "cluster" (single)
    ✔ You have selected eks-dev as the cluster:
    â—‰ The role has a required value: "namespace" (single)
    ✔ You have selected test as the namespace:
    Plan has been successfully assigned to subject/s

    At this point the permissions are assigned to the robot.

  2. To verify the policy assigned to this robot, run either of the following commands:

    wf get policy --robot ROBOT-NAME (mini view)

    wf get policy --robot app1 --all (detailed view)

    Example:

    $ wf get policy --robot app1
    NAME                            COMPLIANCE    PLAN               ENABLED    STATUS     AGE
    cluster.deployment-assign-d5q7x    none          cluster.deployment    true       Success    11m

    # See all policies attached, including policies generated by the application of the role, using
    # --all:
    $ wf get policy --robot app1 --all
    NAME                                 COMPLIANCE    PLAN               ENABLED    STATUS     AGE
    cluster.deployment-api-p2bbg         default       -                  true       Success    12m
    cluster.deployment-assign-d5q7x      none          cluster.deployment true       Success    12m
    cluster.deployment-clusterwide-ps86l default       -                  true       Success    12m
    cluster.deployment-namespace-7g95c   default       -                  true       Success    12m
    Note

    The mini view provides just the assignment: The policy cluster.deployment-assign-d5q7x references the role cluster.deployment. The detailed view shows how these parameters explode out into three separate policies targeting the Wayfinder API, the selected cluster, and the selected namespace.

What if I can't find the right role?​

In you can't find a role with the required permissions, contact the workspace administrator. They will have to create a role permitting the functionality, and assign you the permission to use it. You can understand more about that process in Creating Assignment Policies.

Last updated on 14 Apr 2022