walkingerica
commented
1 year ago Hi nicl-dev, do you have any solutions for this? Thank you!
Open nicl-dev opened 1 year ago
walkingerica
commented
1 year ago Hi nicl-dev, do you have any solutions for this? Thank you!
nicl-dev
commented
1 year ago @walkingerica Unfortunately we couldn't make it work yet. Still looking for help.
smeckert
commented
1 year ago @nicl-dev we've make it work!
In AWS Identity Center configuration should be have the following attributes configured:
Application start URL - (optional): https://
Application ACS URL: https://
Application SAML audience: https://
Our dex.config looks like:
dex.config: |
logger:
level: debug
format: json
connectors:
- type: saml
id: aws
name: "AWS IAM Identity Center"
config:
ssoURL: https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/<ID>
caData: <BASE64_DECODED_CA_CERT>
entityIssuer: https://<ARGO_CD_DOMAIN>/api/dex/callback
redirectURI: https://<ARGO_CD_DOMAIN>/api/dex/callback
usernameAttr: email
emailAttr: email
groupsAttr: groupsI hope it helps to make this work.
patr00n
commented
1 year ago In addition to @smeckert reply. You need to have proper attribute mapping in AWS Application:
zeusal
commented
1 year ago Hi,
In addition to @patr00n and @smeckert If you want it to work on an AWS SSO group basis, this is working for me: :
policy.default: role:readonly
policy.csv: |
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
g, <ADMIN GROUP ID AWS SSO>, role:admin
g, guest, role:readonly
scopes: '[groups, email]'@zeusal We have even stricter policies, but in general, it looks similar. Unless we have only groups in scopes
madclement
commented
1 year ago Hi @zeusal , even after adding the policies that you mentioned, i am not able to sync an application in the default project. My argocd-rbac-cm.yaml :
zeusal
commented
1 year ago Hi @zeusal , even after adding the policies that you mentioned, i am not able to sync an application in the default project. My argocd-rbac-cm.yaml :
Hi ! @madclement
Are all other settings correct?
You need:
You can view the group ID of the logged on user on the "User Information" page of the displayed ArgoCD.
You can help yourself with this document: https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/identity-center/
madclement
commented
1 year ago Yes @zeusal I followed the same instructions Sharing here the settings used
argocd-cm:
zeusal
commented
1 year ago Yes @zeusal I followed the same instructions Sharing here the settings used
argocd-cm:
Hi @madclement I understand, that you get access to ArgoCD, so the connection/configuration of ArgoCD <-> AWS Identity Center SAML APP is correct.
After accessing and attempting a "sync" operation, what error/message is displayed?
Does the group shown in "User Information" of the ArgoCD console match the one in the AWS Identity Center (in this case Infra-L4 and Infra-L5)?
And finally, I understand that the user with which you are trying to access is within any of these two groups (Infra-L4 and Infra-L5), is that correct?
You can send us the logs after the login, to see if argocd is showing any error when retrieving the groups.
Also test this policy by entering a single group.
policy.csv: |
g, <GROUP ID>, role:admin
scopes: '[groups, email]'Hey @zeusal , the following error message is displayed after sync operation
Unable to deploy revision: permission denied: applications, sync, default/karpenter-test, sub: ChhjbGVtZW50QG1hZHN0cmVldGRlbi5jb20SA2F3cw, iat: 2023-11-08T13:02:08Z
There are random multiple groups shown in User Info page in argocd, but none of them corresponds to the group id in AWS Identity Center
Yes, my access is within Infra-L3 group
The logs i am getting after entering the policy you provided, after replacing my groupid there
zeusal
commented
1 year ago Hey @zeusal , the following error message is displayed after sync operation
Unable to deploy revision: permission denied: applications, sync, default/karpenter-test, sub: ChhjbGVtZW50QG1hZHN0cmVldGRlbi5jb20SA2F3cw, iat: 2023-11-08T13:02:08ZThere are random multiple groups shown in User Info page in argocd, but none of them corresponds to the group id in AWS Identity Center
Yes, my access is within Infra-L3 group
The logs i am getting after entering the policy you provided, after replacing my groupid there
Hi @madclement
The permissions are not applied correctly because they do not match the groups with the Identity Center, ArgoCD and RBAC.
In my case, the AWS Identity Center Group ID match with "User Info" Argo CD.
If you need help, I can help you through Slack.
zeusal
commented
1 year ago Hi again @madclement
I have tested from my local with AWS Identity Center SAML APP in my personal AWS account and it works.
If in rbac cm I have role:admin I can create and sync application, if change this value to role:readonly, I can only see objects.
With role:readonly:
policy.csv: |
g, 64d84438-b0c1-708c-f431-91ece2abb39a, role:readonly
scopes: '[groups, email]'
With role:readonly:
policy.csv: |
g, 64d84438-b0c1-708c-f431-91ece2abb39a, role:admin
scopes: '[groups, email]'I can sync:
This is my argocd-cm:
apiVersion: v1
data:
dex.config: |
logger:
level: debug
format: json
connectors:
- type: saml
id: aws
name: "AWS IAM Identity Center"
config:
ssoURL: https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<ID>
caData: <CERT IN BASE64>
entityIssuer: https://localhost:8080/api/dex/callback
redirectURI: https://localhost:8080/api/dex/callback
usernameAttr: email
emailAttr: email
groupsAttr: groups
url: https://localhost:8080
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: argocd
This my group:
Mappings:
SAML APP config:
Group Assignment
I don't understand why it doesn't work, following the steps I have managed to make it work locally.
madclement
commented
1 year ago Hey @zeusal , Sorry for the delayed response, the timezone is different here.
I am not sure why the group id in argocd user info doesnt match with the one in Identity center.
Yes i might need help on this, how do i reach you through slack ?
madclement
commented
1 year ago Hey @zeusal , I think I found the problem. We have integrated AWS SSO Identity with AWS Managed Directory services. So the group ids which are sent to ArgoCD was from the AD service, not from Identity centre. So I replaced the SSO group ID with the one from Managed AD group ID and now successfully i was able to perform sync operation with the policy you provided previously. Anyways thanks a lot for all the help .
zeusal
commented
1 year ago Hi again @madclement
Sorry for the misunderstanding.
I assumed that I had used "Identity Center directory" as the identity source.
The Argocd documentation is for that case only. For all other cases change the attribute mapping and/or group id.
Nebula-London
commented
8 months ago Got the same issue and tried all of the above but still no luck. Any other suggestions?
nassercarlos19
commented
5 months ago I am also having this issue, I have this error:
Any Ideas?
(Everything is configured as in the documentation: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/identity-center/
Thanks
youngjun0627
commented
4 months ago I am also having this issue, I have this error:
Any Ideas?
(Everything is configured as in the documentation: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/identity-center/
Thanks
When you configure Attribute mappings, did you type . instead of :?
Checklist:
argocd version.Describe the bug
We are trying to setup SSO with AWS' IAM Identity Center and are facing the following error:
Unfortunately, there does not exist any documentation of successful attempts to use IAM Identity Center for SSO with ArgoCD. The Slack channel couldn't help us either, so we rely on help here now. A similar issue (using OneLogin instead of IAM Identity Center) has been reported here: https://github.com/argoproj/argo-cd/issues/5450
To Reproduce
Current dex.config and rbac:
Expected behavior
Login via SAML is succesful.
Screenshots
Version
Logs