Create an RBAC Role

Create an RBAC role using Armory CD-as-a-Service’s CLI.

Create a new RBAC role

By default, a new user has no permission to access functionality within CD-as-a-Service. You can assign a new user the Organization Admin role or create a custom role that defines what the user can see and do in the UI as well as from the CLI.

All users can start a deployment.

Before you begin

You are an Organization or Tenant Admin within CD-as-a-Service.
You have read Role-Based Access Control.

How to create a custom role

You define your roles in a YAML file using the following structure:

roles:
  - name: <role-name>
    tenant: <tenant-name>
    grants:
      - type: <grant-type>
        resource: <resource-type>
        permission: <permission-type>

name: (Required); String; name of the role
tenant: (Optional); String; name of the tenant; if omitted, the role is an organization-wide role, not bound to a specific tenant
grants: (Required)(Dictionary)
- type: (Required); String; api
- resource: (Required); String; one of organization, tenant, or deployment
- permission: (Required); String; full

After you have defined your roles, use the CLI to add those roles to CD-as-a-Service.

armory login
armory config apply -f <path-to-rbac-config>.yml

You can check that you created your roles correctly by running armory config get.

Organization Admin is a system-defined role that does not appear in your RBAC config.

User role examples

Tenant Admin

A user with this role can access every screen in the main tenant and deploy apps using the CLI.

roles:
  - name: Tenant Admin
    tenant: main
    grants:
      - type: api
        resource: tenant
        permission: full

Deployer

A user with this role can only access the Deployments screen in the UI and deploy apps using the CLI.

roles:
  - name: Deployer
    tenant: main
    grants:
      - type: api
        resource: deployment
        permission: full

SSO roles

If your organization uses SSO with CD-as-a-Service, you must create your roles using the same names as your SSO groups. For example, your company has the following groups defined in its SSO provider:

Engineering-Lead
Engineering-Deployment
Engineering-Infra

You want to use those groups in CD-as-a-Service, so you need to create roles for those SSO groups. In the following example, Engineering-Lead has a Tenant Admin role, Engineering-Deployment has a deployment role.

roles:
  - name: Engineering-Lead
    tenant: main
    grants:
      - type: api
        resource: tenant
        permission: full
  - name: Engineering-Deployment
    tenant: main
    grants:
      - type: api
        resource: deployment
        permission: full
  - name: Engineering-Infra
    tenant: main
    grants:
      - type: api
        resource: deployment
        permission: full

What’s next

RBAC
- Update an RBAC Role
- Delete an RBAC Role
User Role Management
- Manage a User's RBAC Role
- Create and Manage RBAC Roles
Troubleshoot Role-Based Access Control

Feedback

Was this page helpful?

Thank you for letting us know!

Sorry to hear that. Please tell us how we can improve.

Last modified October 27, 2022: (a80a18d5)