Create Argo CD local users
By default, Argo CD has only one built-in user admin. If you want to create new users, you must configure k8s configmaps.
In this example, I will explain how to create local users, custom permissions for the users and setting password. I installed argocd with helm at https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
We are going to update config:
and rbacConfig:
section of the helm chart values in values.yaml
Create users
We will create three users(qauser, devuser and adminuser
) add them with accounts.username: login
statement as below in config:
section of values.yaml. Actually it will update argocd-cm
configmap
config:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
accounts.qauser: apiKey, login
accounts.devuser: apiKey, login
accounts.adminuser: apiKey, login
Create role/permissions set
We need to update rbacConfig:
section of helm values.yaml that is updates argocd-rbac-cm
configmap in k8s
Policy rules are in the form:p, subject, resource, action, object, effect
subject can be role/user/group
and you can grant role to a user or group with
g, subject, inherited-subject
You can get a full list of resources, action and objects at
https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
rbacConfig:
policy.default: role:readonly
#{}
# policy.csv is an file containing user-defined RBAC policies and role definitions (optional).
# Policy rules are in the form:
# p, subject, resource, action, object, effect
# Role definitions and bindings are in the form:
# g, subject, inherited-subject
# See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.
policy.csv: |
p, role:qa, applications, *, */*, allow
p, role:dev, applications, *, */*, allow
p, role:dev, projects, *, *, allow
p, role:dev, repositories, *, *, allow
g, adminuser, role:admin
g, devuser, role:dev
g, qauser, role:qa
You can get both values from
in above rbacConfig, we set default permission to readonly
with policy.default: role:readonly
statement. If you set this as role:admin
the policies in policy.csv
will be obsolete.
With above policy.csv
we created two policies role:qa
and role:dev
. qa can only manage applications, but dev can manage projects and repositories.
Finally, I attached adminuser
to built-in role role:admin
save the file and run helm upgrade
without custom parameters.
Set password
We must login toargocd
be able to set password for new users. in order to do it I would log in to EKS cluster and access to argocd with port forwarding option. Because if you are exposing internal/external ELB via ingress, you might get
FATA[0008] rpc error: code = Unknown desc =
Inorder to login argocd pod directly, login to EKS/K8s cluster. Update kubeconfig with your k8s cluster running argocd. I assume that you can configure to access your cluster.
Login to argocd
run the following command to access argocd. Change namespace if you are using different namespace.
$ argocd login --port-forward --port-forward-namespace argocd --plaintext
Username: admin
Password:
'admin' logged in successfully
List Users
$ argocd account list --port-forward --port-forward-namespace argocd --plaintextNAME ENABLED CAPABILITIES
admin true login
qauser true apiKey, login
devuser true apiKey, login
adminuser true apiKey, login
Set Password for each user.
It is strange that you must provide also your current admin password to set the password for the new users.
$ argocd account update-password --account qauser --current-password 'myadminpassword' --new-password mysecurepass --port-forward --port-forward-namespace argocd --plaintext$ argocd account update-password --account devuser --current-password 'myadminpassword' --new-password mysecurepass2 --port-forward --port-forward-namespace argocd --plaintext$ argocd account update-password --account adminuser --current-password 'myadminpassword' --new-password mysecurepass3 --port-forward --port-forward-namespace argocd --plaintext
now your new users can access to argocd web ui.
UPDATE: ArgoCD introduced web shell feature in v2.4. If you enable it, it will work only for admin user. If you want to allow other users to access the terminal, you should grant toexec
resource in above policies.
See
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#exec-resource for details.
👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.
Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬