What permissions do we need the LogicMonitor Account to have?

[runswithd6s]

• Argus Version: 0.4.0
• Kubernetes Version: EKS 1.11
• Docker Version: NA

There isn't much in the way of documentation regarding what is needed for a user account to create the necessary LogicMonitor objects. Aside from a full-rights administrator, can we limit permissions to a specific sub-folder? We have specified the clusterGroupId for the folder we want argus to create items under. The user has been given a role that has rights to:

• PlatformAutomation role created
  • "Allowed to manage Resource Dashboards" False
  • "Configs tab only visible with Manage permissions" True
  • "Manage" is selected for the target group.
• User is assigned to new PlatformAutomation role

[12:02:30] cwalstrom@turo (1032)$ kubectl logs -n kube-system collectorset-controller-5d8f446cbb-qgpcq
time="2019-01-29T18:01:00Z" level=info msg="Starting to create collectorset: azasi-eks1"
time="2019-01-29T18:01:00Z" level=info msg="Adding collector group with name \"Kubernetes Cluster: azasi-eks1\""
time="2019-01-29T18:01:00Z" level=error msg="Failed to create collectorset: [REST] [1041] Permission denied"```

[skt44]

Hi @runswithd6s - We have some documentation within our support site here: https://www.logicmonitor.com/support/kubernetes-monitoring/. The user in LM needs to have permission to:

• add / remove devices: You can narrow this to a specific sub-group if that sub-group is also being set as the parent group during install, which it looks like you've done
• add collectors: This looks like the issue in your case. Argus will try to install Collector(s) in your LM account, and therefore needs permission to add Collectors
• add dashboards: If you don't add this permission, you just won't get auto-dashboards

So you can create a role with less than full-admin rights, as long as it encompasses the permissions listed above. Can you verify whether the PlatformAutomation role you created has permission to create Collectors?

[runswithd6s]

@skt44 Excellent. Adding the "Manage" checkbox for "Collector" enabled argus to add the appropriate resources. I did not see any dashboards created. Did you mean "Allow to create Private Dashboards"? I did create a "Kubernetes Clusters" group in the Dashboards and gave it "manage" permissions to that.

[skt44]

@runswithd6s okay, great! The dashboards actually are only created if you go through the UI wizard, more instructions here, but we're working on a way to make the templates used to create these dashboards more accessible.

[runswithd6s]

Ah, ok. We're using terraform and helm charts to deploy this. We did have to change how we named our helm charts to include a unique prefix to helm names, especially for things like the confluent helm charts for kafka. We wanted to simply call them 'confluent', but we had to settle for 'environmentprefix-confluent'. This made configuration more difficult with our containers, since now they had to know about this prefix to correctly identify sources of services.

tl;dr A UI wizard wouldn't work well for our CI/CD infrastructure as code approach to this.

[runswithd6s]

Thanks for your assistance! I think this solves our problems!