Argo-cd: SSO using dex and Google as the provider, user unable to access/add resources

Created on 6 Mar 2019 · 7Comments · Source: argoproj/argo-cd

When logged in as the admin user, I am able to add/remove repos and clusters as needed.

Using SSO w/ dex and Google as the provider, user can log in, but not access any of the created repos or clusters.
User is also unable to add repos or clusters.

(Possible issue with groups scope being an empty list?)

SSO - attempt to add cluster

~/Argo$ argocd-linux-amd64 login localhost:8088 --sso --plaintext
Opening browser for authentication
Performing authorization_code flow login: http://localhost:8088/api/dex/auth?access_type=offline&client_id=argo-cd-cli&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=qEEjZgpiqO
Authentication successful
'[USER]' logged in successfully
Context 'localhost:8088' updated
~/Argo$ argocd-linux-amd64 cluster add [CLUSTER_NAME]
INFO[0000] ServiceAccount "argocd-manager" already exists 
INFO[0000] ClusterRole "argocd-manager-role" updated    
INFO[0000] ClusterRoleBinding "argocd-manager-role-binding" already exists 
FATA[0001] rpc error: code = PermissionDenied desc = permission denied: clusters, create, https://35.232.52.245

Admin - add cluster

~/Argo$ argocd-linux-amd64 login localhost:8088 --plaintext
Username: admin
Password: 
'admin' logged in successfully
Context 'localhost:8088' updated
~/Argo$ argocd-linux-amd64 cluster add [CLUSTER NAME]
INFO[0000] ServiceAccount "argocd-manager" already exists 
INFO[0000] ClusterRole "argocd-manager-role" updated    
INFO[0000] ClusterRoleBinding "argocd-manager-role-binding" already exists 
Cluster '[CLUSTER NAME]' added
~/Argo$ argocd-linux-amd64 cluster list
SERVER                          NAME                                               STATUS      MESSAGE
[CLUSTER IP]           [CLUSTER NAME]  Successful  
https://kubernetes.default.svc

Back to SSO - list clusters

~/Argo$ argocd-linux-amd64 login localhost:8088 --sso --plaintext
Opening browser for authentication
Performing authorization_code flow login: http://localhost:8088/api/dex/auth?access_type=offline&client_id=argo-cd-cli&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=HFmkYXVZSZ
Authentication successful
'[USER]' logged in successfully
Context 'localhost:8088' updated
~/Argo$ argocd-linux-amd64 cluster list
SERVER  NAME  STATUS  MESSAGE
~/Argo$

Dex logs show the following when logging in w/ sso
Possible issue with groups?

time="2019-03-06T21:30:07Z" level=info msg="login successful: connector \"google\", username=\"[USER NAME]\", email=\"[USER EMAIL\", groups=[]"

Dex Config:

data:
  dex.config: |
    connectors:
    - type: oidc
      id: google
      name: Google
      config:
       issuer: https://accounts.google.com
       clientID: [CLIENT ID]
       clientSecret: $dex.google.clientSecret
  url: http://localhost:8088

Source

ken-ie

Most helpful comment

It should now be now be possible to configure Argo CD to examine the email scope using the scopes configuration field in argocd-rbac-cm.yaml:

https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml#L26

jessesuen on 19 Jun 2019

🎉2 👍1

All 7 comments

You need to set a policy.default role in the argocd-rbac-cm.yaml. We provide two role for convenience: role:admin and role:readonly. By default, and by design, we do not assume a default policy for you.

https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md

jessesuen on 7 Mar 2019

Added policy.default: role:admin. No change in behavior.
Is there something else I am missing? Do I need to restart a service?

~$ kubectl describe configmap -n argocd
Name:         argocd-cm
Namespace:    argocd
Labels:       app.kubernetes.io/name=argocd-cm
              app.kubernetes.io/part-of=argocd
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-...

Data
====
dex.config:
----
connectors:
-<snip!>-

policy.default:
----
role:admin
repositories:
----
- sshPrivateKeySecret:
-<snip!>-

url:
----
http://localhost:8088
Events:  <none>


Name:         argocd-rbac-cm
Namespace:    argocd
Labels:       app.kubernetes.io/name=argocd-rbac-cm
              app.kubernetes.io/part-of=argocd
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-rbac-cm","app.kubernetes.io/...

Data
====
Events:  <none>

~$ argocd-linux-amd64 login localhost:8088 --sso --plaintext
Opening browser for authentication
Performing authorization_code flow login: http://localhost:8088/api/dex/auth?access_type=offline&client_id=argo-cd-cli&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=qalJSCIwHr
Authentication successful
'[USER]' logged in successfully
Context 'localhost:8088' updated

~$ argocd-linux-amd64 cluster add [CLUSTER NAME]
INFO[0000] ServiceAccount "argocd-manager" already exists 
INFO[0000] ClusterRole "argocd-manager-role" updated    
INFO[0000] ClusterRoleBinding "argocd-manager-role-binding" already exists 
FATA[0001] rpc error: code = PermissionDenied desc = permission denied: clusters, create, https://35.232.52.245

ken-ie on 7 Mar 2019

It needs to go in argocd-rbac-cm.yaml and not argocd-cm.yaml

jessesuen on 7 Mar 2019

Really, I can read, I swear.
Moved configuration to configmap argocd-rbac-cm, all works now!

ken-ie on 7 Mar 2019

@jessesuen I configured dex with Google using connectors as per: https://github.com/dexidp/dex/blob/master/Documentation/connectors/oidc.md . Everything is working and all users by default have read only permissions.

How can I make my user/email an admin (or better, a list of users/email) as this provider does not support groups. I tried any combination possible that I could think of having this as example https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml

lebenitza on 10 Apr 2019

👍1

I think what I asked can be tracked in https://github.com/argoproj/argo-cd/issues/1444
Using the info there I added something like:

 g, <value of the 'sub' key in the request>, role:admin

And it works! The problem is described in the above ticket. To see the value just look into the logs.

@ndigati you might be interested in this.

lebenitza on 12 Apr 2019

It should now be now be possible to configure Argo CD to examine the email scope using the scopes configuration field in argocd-rbac-cm.yaml:

https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml#L26

jessesuen on 19 Jun 2019

🎉2 👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

argocd-server Username or Password not working on fresh install

hulu1522 · 3Comments

Documentation feedback

alexec · 3Comments

Join the CNCF to help gain mind share and publicity

clintberry · 3Comments

ArgoCD fails to create the nginx-ingress webhook

estahn · 3Comments

Issues with github authentication with Argo-ha setup

chiragthaker · 3Comments