Create and Manage RBAC Roles Tutorial

In this tutorial, learn how to configure and use Role-Based Access Control (RBAC) for Armory Continuous Deployment-as-a-Service users.

Objectives

You are the CD-as-a-Service Organization Admin and lead a small development team that you want to invite to use CD-as-a-Service. Before you add your team, you need to create roles that define what a user can see in the UI.

In this tutorial, you learn how to:

Define and add RBAC roles in a YAML file.
Invite users and assign roles.
Modify your RBAC roles.

Before you begin

You have completed the Armory CD-as-a-Service quickstart, in which you create your login credentials, install the CLI, and deploy an example app.
You are familiar with the following content:
- Identity & Access Management
- Create and Manage RBAC Roles

Define and add RBAC roles

You want to create the following roles for your team:

Name	Description	Tenant	Grant Type	Grant Resource	Grant Permission
Tenant Admin	Same grants as the Org Admin but scoped to the tenant	main	api	tenant	full
Deployer	Engineer who can deploy apps using the CLI and monitor in the UI	main	api	deployment	full
Tester	Tester who can deploy apps using the CLI and monitor in the UI	main	api	deployment	full

Create a file called config.yml. Add the following content, which deliberately contains a few mistakes:

---
roles:
  - name: Tenant Admin
    tenant: main
    grants:
      - type: api
        resource: tenant
        permission: full
  - name: Deployer
    tenant: main
    grants:
      - type: api
        resource: tenant
        permission: full
  - name: Tester
    tenant: main
    grants:
      - type: api
        resource: tenant
        permission: full

In the directory where you saved your config.yml file, log into CD-as-a-Service using the CLI and then execute:

armory config apply -f config.yml

Then check that the roles are correct by executing:

armory config get

The output should match the contents of your config.yml file.

Invite users and assign roles

Access the CD-as-a-Service Console.
Navigate to Access Management > Users.
Click Invite Users
Enter the new user’s full name in the Name field and the user’s email address in the Email field.
Select the Tenant Admin role from the Roles drop down list.
Click Send Invitation.
A modal window opens. Review the information and click OK to send the information or Cancel to return to the previous screen.

Repeat the process for the Deployer and Tester roles.

Modify your RBAC roles

Due to a hasty copy/paste, you inadvertently granted the Deployer and Tester roles full access to the main tenant. You need to change that. Also, since Deployer and Tester have the same grants, you want to eliminate the Tester role. You can do both in a single update to your config.yml file:

Add the allowAutoDelete: true line and remove the Tester role entry.
Change tenant to deployment in the Deployer role config.

Your config should look like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
---
allowAutoDelete: true
roles:
  - name: Tenant Admin
    tenant: main
    grants:
      - type: api
        resource: tenant
        permission: full
  - name: Deployer
    tenant: main
    grants:
      - type: api
        resource: deployment
        permission: full

Execute:

armory config apply -f config.yml

Then check that the roles are correct by running:

armory config get

Lastly, since you eliminiated the Tester role, you need to update the user you originally assigned the Tester role. Access that user in the Access Management > Users screen and edit the user to assign the Deployer role.

What’s next

Troubleshoot Role-Based Access Control

Feedback

Was this page helpful?

Thank you for letting us know!

Sorry to hear that. Please tell us how we can improve.

Last modified July 28, 2023: (3f5e759)