Create Argo CD local users

By default, Argo CD has only one built-in user admin. If you want to create new users, you must configure k8s configmaps.

In this example, I will explain how to create local users, custom permissions for the users and setting password. I installed argocd with helm at https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd

We are going to update config: and rbacConfig:section of the helm chart values in values.yaml

Create users

We will create three users(qauser, devuser and adminuser) add them with accounts.username: login statement as below in config: section of values.yaml. Actually it will update argocd-cm configmap

config:
  # Argo CD's externally facing base URL (optional). Required when configuring SSO
  accounts.qauser: apiKey, login
  accounts.devuser: apiKey, login
  accounts.adminuser: apiKey, login

Create role/permissions set

We need to update rbacConfig: section of helm values.yaml that is updates argocd-rbac-cm configmap in k8s

Policy rules are in the form:
p, subject, resource, action, object, effect
subject can be role/user/group
and you can grant role to a user or group with

g, subject, inherited-subject

You can get a full list of resources, action and objects at

https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv

rbacConfig:
    policy.default: role:readonly
    #{}
    # policy.csv is an file containing user-defined RBAC policies and role definitions (optional).
    # Policy rules are in the form:
    #   p, subject, resource, action, object, effect
    # Role definitions and bindings are in the form:
    #   g, subject, inherited-subject
    # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.
    policy.csv: |
      p, role:qa,  applications, *, */*, allow
      p, role:dev, applications, *, */*, allow
      p, role:dev, projects, *, *, allow
      p, role:dev, repositories, *, *, allow
      g, adminuser, role:admin
      g, devuser, role:dev
      g, qauser, role:qa

You can get both values from

in above rbacConfig, we set default permission to readonly with policy.default: role:readonly statement. If you set this as role:admin the policies in policy.csv will be obsolete.

With above policy.csv we created two policies role:qa and role:dev. qa can only manage applications, but dev can manage projects and repositories.

Finally, I attached adminuser to built-in role role:admin

save the file and run helm upgrade without custom parameters.

Set password

We must login toargocd be able to set password for new users. in order to do it I would log in to EKS cluster and access to argocd with port forwarding option. Because if you are exposing internal/external ELB via ingress, you might get

FATA[0008] rpc error: code = Unknown desc =

Inorder to login argocd pod directly, login to EKS/K8s cluster. Update kubeconfig with your k8s cluster running argocd. I assume that you can configure to access your cluster.

Login to argocd

run the following command to access argocd. Change namespace if you are using different namespace.

$ argocd login --port-forward  --port-forward-namespace argocd --plaintext
Username: admin
 Password: 
 'admin' logged in successfully

List Users

$ argocd account list --port-forward --port-forward-namespace argocd --plaintext
NAME      ENABLED  CAPABILITIES
admin     true     login
qauser    true     apiKey, login
devuser   true     apiKey, login
adminuser true     apiKey, login

Set Password for each user.

It is strange that you must provide also your current admin password to set the password for the new users.

$ argocd account update-password --account qauser --current-password 'myadminpassword' --new-password  mysecurepass --port-forward --port-forward-namespace argocd --plaintext
$ argocd account update-password --account devuser --current-password 'myadminpassword' --new-password  mysecurepass2 --port-forward --port-forward-namespace argocd --plaintext
$ argocd account update-password --account adminuser --current-password 'myadminpassword' --new-password  mysecurepass3 --port-forward --port-forward-namespace argocd --plaintext

now your new users can access to argocd web ui.

UPDATE: ArgoCD introduced web shell feature in v2.4. If you enable it, it will work only for admin user. If you want to allow other users to access the terminal, you should grant toexec resource in above policies.

See
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#exec-resource for details.

👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇