I am super excited to announce that we’ve just launched the Roles and Permissions Management System (RBAC) in open beta for Qovery
Important note: This feature is subject to minor changes until it is GA.
At the moment, you can only use this feature via the Qovery REST API It will be accessible via the Qovery V3 web interface for Q4 2022.
Here is a mockup of what the RBAC design looks like for Qovery V3
List members
Create role
Why should you use RBAC
RBAC is convenient for fine-grained control access to different resources (projects, types of environments) for your users. E.g. you can specify (non-exhaustive list):
- Which users can get access to each project.
- Which users can redeploy the production environment from project X.
- Which users can invite team members.
- …
RBAC is not linked to AWS IAM nor any IAM permissions system. It’s a standalone Qovery feature that would be in the future integrable with SAML.
How to use RBAC
To use the Qovery RBAC API:
- Check out our API documentation .
- Create an API token.
Keep secured your API token - never share it with anyone.
Examples
By default, Qovery provides 5 base roles: Owner, Admin, DevOps, Billing Manager and Viewer.
So you can attach your users to one of those base roles, and consider to create your custom one as well.
List available roles
curl -X GET -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
"https://api.qovery.com/organization/:orgId/availableRole"
Your Organization ID (org ID) is the first ID in your console.qovery.com URL. E.g. for
https://console.qovery.com/platform/organization/141c07c8-0dd9-4623-983b-3fdd61867777/projects
the Organization ID is141c07c8-0dd9-4623-983b-3fdd61867777
{
"results": [
{
"id": "UUID",
"name": "admin"
},
//...
]
}
Create a custom role
You can create a custom role with the following command
curl -X POST -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d '{"name": "Platform Engineers", "description": "Role for all Platform Engineers"}
"https://api.qovery.com/organization/:orgId/customRole"
{
"id": "4c4d8b7f-0fcd-4e28-bc76-2286e8f1bbbb",
"name": "Platform Engineers",
"description": "Role for all Platform Engineers",
"cluster_permissions": [
{
"cluster_id": "2db7b314-5cd6-4754-98cb-c47cc2677777",
"cluster_name": "eks staging",
"permission": "VIEWER"
},
{
"cluster_id": "a8ad0659-b8f2-4c83-ad77-092e97bb2222",
"cluster_name": "production",
"permission": "VIEWER"
}
],
"project_permissions": [
{
"project_id": "977bd069-20f7-4b24-bd95-28b44174cccc",
"project_name": "Console V3",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "NO_ACCESS"
},
{
"environment_type": "PREVIEW",
"permission": "NO_ACCESS"
},
{
"environment_type": "STAGING",
"permission": "NO_ACCESS"
},
{
"environment_type": "PRODUCTION",
"permission": "NO_ACCESS"
}
]
},
{
"project_id": "0ec9c393-b0c0-4406-9b04-af9823096666",
"project_name": "Marketing",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "NO_ACCESS"
},
{
"environment_type": "PREVIEW",
"permission": "NO_ACCESS"
},
{
"environment_type": "STAGING",
"permission": "NO_ACCESS"
},
{
"environment_type": "PRODUCTION",
"permission": "NO_ACCESS"
}
]
},
{
"project_id": "6e63eb6b-f384-4003-a52d-1e67b910bbbb",
"project_name": "Posthog Analytics",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "NO_ACCESS"
},
{
"environment_type": "PREVIEW",
"permission": "NO_ACCESS"
},
{
"environment_type": "STAGING",
"permission": "NO_ACCESS"
},
{
"environment_type": "PRODUCTION",
"permission": "NO_ACCESS"
}
]
},
{
"project_id": "a74df42b-59f2-4ac1-a0df-970d53c99999",
"project_name": "Product",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "NO_ACCESS"
},
{
"environment_type": "PREVIEW",
"permission": "NO_ACCESS"
},
{
"environment_type": "STAGING",
"permission": "NO_ACCESS"
},
{
"environment_type": "PRODUCTION",
"permission": "NO_ACCESS"
}
]
}
]
}
Edit custom role
Then you can edit your custom role by changing the cluster
and project
permissions
Refer to the API documentation for the different parameters.
curl -X PUT -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d @platformengineer.json
"https://api.qovery.com/organization/:orgId/customRole/:customRoleId"
Create a platformengineer.json
file with the following content
{
"name": "Platform Engineers",
"description": "Role for all Platform Engineers",
"cluster_permissions": [
{
"cluster_id": "2db7b314-5cd6-4754-98cb-c47cc2677777",
"cluster_name": "eks staging",
"permission": "ADMIN"
},
{
"cluster_id": "a8ad0659-b8f2-4c83-ad77-092e97bb2222",
"cluster_name": "production",
"permission": "ENV_CREATOR"
}
],
"project_permissions": [
{
"project_id": "977bd069-20f7-4b24-bd95-28b44174cccc",
"project_name": "Console V3",
"is_admin": true,
},
{
"project_id": "0ec9c393-b0c0-4406-9b04-af9823096666",
"project_name": "Marketing",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "VIEWER"
},
{
"environment_type": "PREVIEW",
"permission": "VIEWER"
},
{
"environment_type": "STAGING",
"permission": "VIEWER"
},
{
"environment_type": "PRODUCTION",
"permission": "VIEWER"
}
]
},
{
"project_id": "6e63eb6b-f384-4003-a52d-1e67b910bbbb",
"project_name": "Posthog Analytics",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "NO_ACCESS"
},
{
"environment_type": "PREVIEW",
"permission": "NO_ACCESS"
},
{
"environment_type": "STAGING",
"permission": "NO_ACCESS"
},
{
"environment_type": "PRODUCTION",
"permission": "NO_ACCESS"
}
]
},
{
"project_id": "a74df42b-59f2-4ac1-a0df-970d53c99999",
"project_name": "Product",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "VIEWER"
},
{
"environment_type": "PREVIEW",
"permission": "VIEWER"
},
{
"environment_type": "STAGING",
"permission": "VIEWER"
},
{
"environment_type": "PRODUCTION",
"permission": "VIEWER"
}
]
}
]
}
List custom roles
curl -X GET -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
"https://api.qovery.com/organization/:orgId/customRole"
{
"name": "Platform Engineers",
"description": "Role for all Platform Engineers",
"cluster_permissions": [
{
"cluster_id": "2db7b314-5cd6-4754-98cb-c47cc2677777",
"cluster_name": "eks staging",
"permission": "ADMIN"
},
{
"cluster_id": "a8ad0659-b8f2-4c83-ad77-092e97bb2222",
"cluster_name": "production",
"permission": "ENV_CREATOR"
}
],
"project_permissions": [
{
"project_id": "977bd069-20f7-4b24-bd95-28b44174cccc",
"project_name": "Console V3",
"is_admin": true,
},
{
"project_id": "0ec9c393-b0c0-4406-9b04-af9823096666",
"project_name": "Marketing",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "VIEWER"
},
{
"environment_type": "PREVIEW",
"permission": "VIEWER"
},
{
"environment_type": "STAGING",
"permission": "VIEWER"
},
{
"environment_type": "PRODUCTION",
"permission": "VIEWER"
}
]
},
{
"project_id": "6e63eb6b-f384-4003-a52d-1e67b910bbbb",
"project_name": "Posthog Analytics",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "NO_ACCESS"
},
{
"environment_type": "PREVIEW",
"permission": "NO_ACCESS"
},
{
"environment_type": "STAGING",
"permission": "NO_ACCESS"
},
{
"environment_type": "PRODUCTION",
"permission": "NO_ACCESS"
}
]
},
{
"project_id": "a74df42b-59f2-4ac1-a0df-970d53c99999",
"project_name": "Product",
"is_admin": false,
"permissions": [
{
"environment_type": "DEVELOPMENT",
"permission": "VIEWER"
},
{
"environment_type": "PREVIEW",
"permission": "VIEWER"
},
{
"environment_type": "STAGING",
"permission": "VIEWER"
},
{
"environment_type": "PRODUCTION",
"permission": "VIEWER"
}
]
}
]
}
Attach user to a role
To attach an user to a role, you need to first list the available roles in your organization:
curl -X GET -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
"https://api.qovery.com/organization/:orgId/availableRole"
Then, update one of your member role by providing the target role id using this API command:
I assume that you have already invited the user within your organization AND that this user has already accepted the invite.
curl -X PUT -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d '{"user_id": "User ID", "role_id": "Your target role id"}'
"https://api.qovery.com/organization/:orgId/customRole/:customRoleId"
- To list users id from your organization, use the following API call.
- Available roles are available via this API call
If you have any questions or you need any help, feel free to comment this thread