{"id":400,"date":"2024-04-29T10:18:12","date_gmt":"2024-04-29T10:18:12","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=400"},"modified":"2024-04-29T10:18:12","modified_gmt":"2024-04-29T10:18:12","slug":"create-a-new-account-in-argo-cd","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=400","title":{"rendered":"How to Create a New Account in Argo CD and Configure RBAC"},"content":{"rendered":"

In this guide, we will learn about Argo CD Accounts, RBAC, creating a new account in Argo CD, and configuring RBAC for the account.<\/p>\n

What are Accounts on Argo CD?<\/h2>\n

In Argo CD, accounts refer to the identities of users who have permission to access the Argo CD server through the UI or CLI.<\/p>\n

Initially, Argo CD only had an admin user with full permission on Argo CD, then user accounts are created for every user with limited permissions by the admin user.<\/p>\n

During the user account creation, the admin can assign two types of permissions:<\/p>\n

    \n
  1. login – which gives UI access to users<\/li>\n
  2. apikey – this allows users to create their own API tokens for access.<\/li>\n<\/ol>\n

    We can create and disable accounts using the argocd-cm<\/strong> configmap, where every account’s details are stored; we can even disable the admin user using the argocd-cm<\/strong> configmap.<\/p>\n

    What is Argo CD RBAC?<\/h2>\n

    Argo CD RBAC is used to provide granular permissions for every user and group available on Argo CD.<\/p>\n

    By giving the least permission to a user according to their task helps to increase the security of Argo CD.<\/p>\n

    With the help of RBAC, only users with permission can access the resources on Argo CD.<\/p>\n

    For example, if an application is deployed using Argo CD, the user who has permission on the application can only make changes to the application.<\/p>\n

    If a user without permission on the application tries to make any changes, they will receive an unauthorized error.<\/p>\n

    Argo CD RBAC provides permission for the following<\/p>\n

      \n
    1. Users – Assign every user with specific permissions on Argo CD.<\/li>\n
    2. Groups – Using this you can add multiple users to the group and the permissions given to the group are applied for every user in the group.<\/li>\n
    3. Argo CD Resources – Gives permission to Argo CD resources like applications, projects, etc.<\/li>\n
    4. Actions on Argo CD – Allow users to perform specific actions on Argo CD like creating an application or deleting it.<\/li>\n<\/ol>\n

      Argo CD New Account & RBAC Workflow<\/h2>\n

      The diagram given below is the workflow for creating new account in Argo CD and RBAC<\/p>\n

      \"Argo<\/figure>\n

      Let me explain the diagram<\/p>\n

        \n
      1. Let’s start with the bottom block in which a user creates a new account on Argo CD and add RBAC rules to the new account via Argo CD CLI using configmaps.<\/li>\n
      2. You will learn about creating accounts and adding RBAC to the user account in the below example.<\/li>\n
      3. The top block shows how RBAC works when a user performs any actions using the new account.<\/li>\n
      4. In the diagram, a user tries to delete an application on Argo CD using the new account.<\/li>\n
      5. If the account has RBAC policy to delete the application the application will get deleted or else the user will get a permission denied message.<\/li>\n<\/ol>\n

        First, let’s start with creating a new account on Argo CD.<\/p>\n

        Create a New Account in Argo CD<\/h2>\n

        Before starting the process, make sure you have installed argocd-cli<\/a> on your system.<\/p>\n

        If you have installed Argo CD CLI run the following command to log in to Argo CD.<\/p>\n

        argocd login <url>:<port> --username <username> --password <password><\/code><\/pre>\n
        Make sure to replace the bolded letters in the above command with your Argo CD URL, port, username, and password.<\/p>\n
        As an initial step let’s list every account in Argo CD using the command given below<\/p>\n
        argocd account list<\/code><\/pre>\n
        You will get every available account on your Argo CD as shown below, my Argo CD only has an admin account so it’s only showing it<\/p>\n
        \"listing<\/figure>\n
        Now add a new account using Argo CDs configmap, to do that get the configmap argocd-cm<\/strong> by running the following command<\/p>\n
        kubectl get configmap argocd-cm -n argocd -o yaml > argocd-cm.yaml<\/code><\/pre>\n
        To add a new account, open the configmap file argocd-cm.yaml<\/strong> and add the following line under data<\/p>\n
        data:\n  accounts.crunchops: login<\/code><\/pre>\n
        Now run the following command to apply the changes made in Argo CDs configmap<\/p>\n
        kubectl apply -n argocd  -f argocd-cm.yaml<\/code><\/pre>\n
        Once it is executed, you can verify if your account has been added to Argo CD using the account list command<\/p>\n
        argocd account list<\/code><\/pre>\n
        You can see your account has been successfully added to Argo CD<\/p>\n
        \"listing<\/figure>\n
        For more information on Argo CD Account creation refer this<\/a> document.<\/p>\n
        Configure RBAC for the Account<\/h2>\n
        We are going to use the argocd-rbac-cm<\/strong> configmap file of Argo CD to configure RBAC, to get the RBAC configmap file run the following command<\/p>\n
        kubectl get configmap argocd-rbac-cm -n argocd -o yaml > argocd-rbac-cm.yml<\/code><\/pre>\n
        Now open the configmap file, for the newly created account I am only going to give read-only<\/strong> access, to do that add the following line in the argocd-rbac-cm<\/strong> file under data<\/strong><\/p>\n
        data:\n  policy.csv: |\n    p, role:readonly, applications, get, *, allow\n    g, crunchops, role:readonly<\/code><\/pre>\n
        If you want to give other permission to the account you can replace readonly<\/strong> with readwrite, readexecute, or specify admin to give admin permissions.<\/p>\n
        Run the following command to update RBAC<\/p>\n
        kubectl apply -n argocd -f argocd-rbac-cm.yml<\/code><\/pre>\n
        The final step is to create a new password for the account, to create a new password run the following command<\/p>\n
        argocd account update-password --account <new-account-name> --current-password <admin-password> --new-password <new-account-password><\/code><\/pre>\n
        Make sure to replace the bolded letters in the above command with the admin password, new account name, and new password for the account.<\/p>\n
        Once you have updated the password, you can use the username and password to log in to your Argo CD UI and CLI.<\/p>\n
        If you go to Setting\/Accounts<\/strong> on your Argo CD UI, you can see the accounts as shown below<\/p>\n
        \"Viewing<\/figure>\n
        In my Argo CD, the account crunchops<\/strong> only has read access<\/strong> and permission to perform get action on applications, if I try to create a new application using the account crunchops<\/strong> I get the following permission denied message<\/p>\n
        \"Permission<\/figure>\n
        For more information on Argo CD RBAC Configuration refer this<\/a> document.<\/p>\n
        Conclusion<\/h2>\n
        In summary, we discussed creating a new account, configuring RBAC for that account, and creating a new password for the account.<\/p>\n
        I hope this blog helps you understand how to create and attach certain permissions to an account in Argo CD.<\/p>\n
        Also, here is a free study guide on Certified Argo Project Associate (CAPA)<\/a>.<\/p>\n
        \n
        Ngu\u1ed3n:<\/strong> How to Create a New Account in Argo CD and Configure RBAC \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
        Source: https:\/\/devopscube.com\/create-a-new-account-in-argo-cd\/<\/p>\n","protected":false},"author":1,"featured_media":401,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=400"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/400\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/401"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}