0

I'm trying Spinnaker to bake and deploy AMIs to AWS Auto Scaling Group. The problem is, the instance needs too many permissions. As stated in Spinnaker blog post (i.e. "In today's world, it is often seen as bad practice to give tools total access to your environments"), I want to know whether there's a way to restrict spinnaker instance permissions, yet still allow users to deploy their applications to their own clusters, e.g. if they're authorized to do so in AWS.

Sure, the doc says that you can restrict access to applications, but is that enough? Can an application A's member somehow (e.g. in a pipeline stage) call AWS APIs utilizing Spinnaker's permission? (hence being able to modify application B's clusters). Let's say that SSH access to the Spinnaker instance is already disabled

Salvian Reynaldi
  • 102
  • 5

1 Answers1

0

With authorization correctly setup, application A's member should not be able to modify application B if they don't have permission (see here). This guard is in place at the Spinnaker application level, not the cloud provider (EC2) platform level.

Spinnaker was architected with "god mode" credentials - so in fact the same credentials are being used to manipulate application A and B cloud resources.

Travis Tomsu
  • 336
  • 1
  • 5
  • any plan to switch from that "god mode" / support pipeline executor's credentials? To support our current case: teams still deploy apps to a single shared AWS account, I want to be able to track who make what changes and when to this account in a single dashboard, that's CloudTrail in case of AWS. I want to be able to see something like "user A modifies ASG X". My current hack is to run spinnaker on each developer's laptop – Salvian Reynaldi Oct 19 '17 at 03:22
  • Not at the moment, but we're open to suggestions. The problem generally ends up that not every cloud provider has an IAM/RBAC security model. You're right that the ideal is Spinnaker's caching agents use read-only credentials, and that the end-users credentials are used when appropriate. We'd have to figure out how to pull (and store securely) the end-user credentials from the cloud provider. Then we have to ask what role do automatically triggered pipelines use? It's a hairy problem with unclear answers. – Travis Tomsu Oct 20 '17 at 12:58