Roles & Permissions Management (RBAC) Beta Access

I am super excited to announce that we’ve just launched the Roles and Permissions Management System (RBAC) in open beta for Qovery :partying_face:

Important note: This feature is subject to minor changes until it is GA.

:warning: At the moment, you can only use this feature via the Qovery REST API :warning: It will be accessible via the Qovery V3 web interface for Q4 2022.


Here is a mockup of what the RBAC design looks like for Qovery V3

List members

Create role

Why should you use RBAC

RBAC is convenient for fine-grained control access to different resources (projects, types of environments) for your users. E.g. you can specify (non-exhaustive list):

  • Which users can get access to each project.
  • Which users can redeploy the production environment from project X.
  • Which users can invite team members.

RBAC is not linked to AWS IAM nor any IAM permissions system. It’s a standalone Qovery feature that would be in the future integrable with SAML.

How to use RBAC

To use the Qovery RBAC API:

  1. Check out our API documentation .
  2. Create an API token.

:warning: Keep secured your API token - never share it with anyone.

Examples

By default, Qovery provides 5 base roles: Owner, Admin, DevOps, Billing Manager and Viewer.

So you can attach your users to one of those base roles, and consider to create your custom one as well.

List available roles

curl -X GET -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
"https://api.qovery.com/organization/:orgId/availableRole"

Your Organization ID (org ID) is the first ID in your console.qovery.com URL. E.g. for https://console.qovery.com/platform/organization/141c07c8-0dd9-4623-983b-3fdd61867777/projects the Organization ID is 141c07c8-0dd9-4623-983b-3fdd61867777

{
  "results": [
    {
      "id": "UUID",
      "name": "admin"
    },
    //...
  ]
}

Create a custom role

You can create a custom role with the following command

curl -X POST -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d '{"name": "Platform Engineers", "description": "Role for all Platform Engineers"}
"https://api.qovery.com/organization/:orgId/customRole"
{
  "id": "4c4d8b7f-0fcd-4e28-bc76-2286e8f1bbbb",
  "name": "Platform Engineers",
  "description": "Role for all Platform Engineers",
  "cluster_permissions": [
    {
      "cluster_id": "2db7b314-5cd6-4754-98cb-c47cc2677777",
      "cluster_name": "eks staging",
      "permission": "VIEWER"
    },
    {
      "cluster_id": "a8ad0659-b8f2-4c83-ad77-092e97bb2222",
      "cluster_name": "production",
      "permission": "VIEWER"
    }
  ],
  "project_permissions": [
    {
      "project_id": "977bd069-20f7-4b24-bd95-28b44174cccc",
      "project_name": "Console V3",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "STAGING",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "NO_ACCESS"
        }
      ]
    },
    {
      "project_id": "0ec9c393-b0c0-4406-9b04-af9823096666",
      "project_name": "Marketing",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "STAGING",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "NO_ACCESS"
        }
      ]
    },
    {
      "project_id": "6e63eb6b-f384-4003-a52d-1e67b910bbbb",
      "project_name": "Posthog Analytics",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "STAGING",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "NO_ACCESS"
        }
      ]
    },
    {
      "project_id": "a74df42b-59f2-4ac1-a0df-970d53c99999",
      "project_name": "Product",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "STAGING",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "NO_ACCESS"
        }
      ]
    }
  ]
}

Edit custom role

Then you can edit your custom role by changing the cluster and project permissions

Refer to the API documentation for the different parameters.

curl -X PUT -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d @platformengineer.json
"https://api.qovery.com/organization/:orgId/customRole/:customRoleId"

Create a platformengineer.json file with the following content

{
  "name": "Platform Engineers",
  "description": "Role for all Platform Engineers",
  "cluster_permissions": [
    {
      "cluster_id": "2db7b314-5cd6-4754-98cb-c47cc2677777",
      "cluster_name": "eks staging",
      "permission": "ADMIN"
    },
    {
      "cluster_id": "a8ad0659-b8f2-4c83-ad77-092e97bb2222",
      "cluster_name": "production",
      "permission": "ENV_CREATOR"
    }
  ],
  "project_permissions": [
    {
      "project_id": "977bd069-20f7-4b24-bd95-28b44174cccc",
      "project_name": "Console V3",
      "is_admin": true,
    },
    {
      "project_id": "0ec9c393-b0c0-4406-9b04-af9823096666",
      "project_name": "Marketing",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "VIEWER"
        },
        {
          "environment_type": "STAGING",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "VIEWER"
        }
      ]
    },
    {
      "project_id": "6e63eb6b-f384-4003-a52d-1e67b910bbbb",
      "project_name": "Posthog Analytics",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "STAGING",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "NO_ACCESS"
        }
      ]
    },
    {
      "project_id": "a74df42b-59f2-4ac1-a0df-970d53c99999",
      "project_name": "Product",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "VIEWER"
        },
        {
          "environment_type": "STAGING",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "VIEWER"
        }
      ]
    }
  ]
}

List custom roles

curl -X GET -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
"https://api.qovery.com/organization/:orgId/customRole"
{
  "name": "Platform Engineers",
  "description": "Role for all Platform Engineers",
  "cluster_permissions": [
    {
      "cluster_id": "2db7b314-5cd6-4754-98cb-c47cc2677777",
      "cluster_name": "eks staging",
      "permission": "ADMIN"
    },
    {
      "cluster_id": "a8ad0659-b8f2-4c83-ad77-092e97bb2222",
      "cluster_name": "production",
      "permission": "ENV_CREATOR"
    }
  ],
  "project_permissions": [
    {
      "project_id": "977bd069-20f7-4b24-bd95-28b44174cccc",
      "project_name": "Console V3",
      "is_admin": true,
    },
    {
      "project_id": "0ec9c393-b0c0-4406-9b04-af9823096666",
      "project_name": "Marketing",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "VIEWER"
        },
        {
          "environment_type": "STAGING",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "VIEWER"
        }
      ]
    },
    {
      "project_id": "6e63eb6b-f384-4003-a52d-1e67b910bbbb",
      "project_name": "Posthog Analytics",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "STAGING",
          "permission": "NO_ACCESS"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "NO_ACCESS"
        }
      ]
    },
    {
      "project_id": "a74df42b-59f2-4ac1-a0df-970d53c99999",
      "project_name": "Product",
      "is_admin": false,
      "permissions": [
        {
          "environment_type": "DEVELOPMENT",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PREVIEW",
          "permission": "VIEWER"
        },
        {
          "environment_type": "STAGING",
          "permission": "VIEWER"
        },
        {
          "environment_type": "PRODUCTION",
          "permission": "VIEWER"
        }
      ]
    }
  ]
}

Attach user to a role

To attach an user to a role, you need to first list the available roles in your organization:

curl -X GET -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
"https://api.qovery.com/organization/:orgId/availableRole"

Then, update one of your member role by providing the target role id using this API command:

I assume that you have already invited the user within your organization AND that this user has already accepted the invite.

curl -X PUT -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d '{"user_id": "User ID", "role_id": "Your target role id"}'
"https://api.qovery.com/organization/:orgId/customRole/:customRoleId"

If you have any questions or you need any help, feel free to comment this thread :point_down:

2 Likes

RBAC is now GA via the Web Console - See Documentation