Assigning Roles
You can statically assign permissions to robot/service accounts using the
wf assign
CLI command. You cannot assign permissions to a human user.
Workspace administrators can control and constrain which permissions can be assigned to a robot, and who can perform those assignments. For information on how a workspace administrator configures this, see Creating Assignment Policies.
All policy assignments are controlled via the wf assign role
command:
- On issuing the command you are prompted for the role you wish to assign.
- The next phase asks whom you wish to assign the permission to: a specific robot, all robots, etc.
- If the role you are assigning requires parameters, these are requested.
- Once all the parameters are assembled the request is passed to Wayfinder to verify and, if permitted, assign the permissions.
Assign a role​
Example use case: In this example, you need a robot for CI to build and deploy an application into the namespace.
To do this, you will:
Create a robot​
In this example, you create a robot named app1
.
To create a robot, run the following:
Run the following:
$ wf create robot app1 --show-config
✔ Please provides a description of use for this account: Robot used to deploy application 1█
feature-gates:
application_services: true
monitoring_services: false
services: true
profiles:
default:
server: default
workspace: devs
user: default
servers:
default:
server: http://localhost:10080
users:
default:
wf-identity:
refresh-token: <TOKEN>
version: latestNote
--show-config
provides a convenience method producing a Wayfinder CLI configuration that can be copied as a whole into your chosen CI as a secret, or placed in a local file to test the robot.
Assign permissions to the robot​
To assign permissions to a robot, you run the wf assign role
command and select a role, as shown in the following example:
To assign permissions to the robot:
Run
wf assign role
, select the role and the robot, and respond to the prompts for parameters. The parameters depend on the role selected. Example:$ wf assign role
? Which role would you like to use?
â–¸ cluster.deployment
Name:cluster.deployment
Owner:devs
Provides a deployment permission set which can be used by robot
accounts to deploy their applications in a namespace.
Note the policy is intentionally locked down per namespace, per
cluster to ensure use of a different token per application.In this example, you selected the
cluster.deployment
role, and the robot accountapp1
to assign the permissions to. Two parameters are required for this role, thecluster
andnamespace
. Example response:$ wf assign role
✔ You have choosen the role: "cluster.deployment"
✔ Policy will apply to robot: app1
✔ This role has a number of 2 parameters associated
â—‰ The role has a required value: "cluster" (single)
✔ You have selected eks-dev as the cluster:
â—‰ The role has a required value: "namespace" (single)
✔ You have selected test as the namespace:
Plan has been successfully assigned to subject/sAt this point the permissions are assigned to the robot.
To verify the policy assigned to this robot, run either of the following commands:
wf get policy --robot ROBOT-NAME
(mini view)wf get policy --robot app1 --all
(detailed view)Example:
$ wf get policy --robot app1
NAME COMPLIANCE PLAN ENABLED STATUS AGE
cluster.deployment-assign-d5q7x none cluster.deployment true Success 11m
# See all policies attached, including policies generated by the application of the role, using
# --all:
$ wf get policy --robot app1 --all
NAME COMPLIANCE PLAN ENABLED STATUS AGE
cluster.deployment-api-p2bbg default - true Success 12m
cluster.deployment-assign-d5q7x none cluster.deployment true Success 12m
cluster.deployment-clusterwide-ps86l default - true Success 12m
cluster.deployment-namespace-7g95c default - true Success 12mNote
The mini view provides just the assignment: The policy
cluster.deployment-assign-d5q7x
references the rolecluster.deployment
. The detailed view shows how these parameters explode out into three separate policies targeting the Wayfinder API, the selected cluster, and the selected namespace.
What if I can't find the right role?​
In you can't find a role with the required permissions, contact the workspace administrator. They will have to create a role permitting the functionality, and assign you the permission to use it. You can understand more about that process in Creating Assignment Policies.