Cloud Automation user permissions

Upgrade to Site Reliability Guardian & Workflows

Our Site Reliability Guardian & Workflows incorporate the Cloud Automation use cases. As Cloud Automation support will be discontinued on December 31, 2024, we recommend a timely Upgrade from Cloud Automation to Site Reliability Guardian. Please contact your account team for additional information and assistance.

To work with the Cloud Automation UI (bridge) and API, you need permissions as described below.

Define policies

Cloud Automation provides three default policies with view, approve, or admin permissions. They can be bound to groups, but we don't recommend that you customize them. Instead, create a new policy as described below.

ALLOW
cloudautomation:events:read,
cloudautomation:integrations:read,
cloudautomation:logs:read,
cloudautomation:metadata:read,
cloudautomation:projects:read,
cloudautomation:resources:read,
cloudautomation:secrets:read,
cloudautomation:services:read,
cloudautomation:stages:read;

An approver has viewer permissions and is allowed to send an event.

ALLOW
cloudautomation:events:write WHERE  cloudautomation:event = "sh.keptn.event.approval.finished";

An admin has all permissions to manage a Cloud Automation instance.

ALLOW
cloudautomation:events:read,
cloudautomation:events:write,
cloudautomation:integrations:read,
cloudautomation:integrations:write,
cloudautomation:integrations:delete,
cloudautomation:logs:read,
cloudautomation:metadata:read,
cloudautomation:projects:read,
cloudautomation:projects:write,
cloudautomation:projects:delete,
cloudautomation:resources:read,
cloudautomation:resources:write,
cloudautomation:secrets:read,
cloudautomation:secrets:write,
cloudautomation:secrets:delete,
cloudautomation:services:read,
cloudautomation:services:write,
cloudautomation:services:delete,
cloudautomation:stages:read;

To define a custom policy for a certain user group

Go to Account Management. If you have more than one account, select the account you want to manage.
Select Identity & access management > Policies.
Select Add policy.

Enter a policy name and, optionally, a description of your policy. For example, to create an approver policy with a project restriction, you need to create two policies containing the following policy statements:

ALLOW
cloudautomation:integrations:read,
cloudautomation:logs:read,
cloudautomation:metadata:read,
cloudautomation:secrets:read,
cloudautomation:projects:read,
cloudautomation:events:read;

ALLOW
cloudautomation:resources:read,
cloudautomation:services:read,
cloudautomation:stages:read,
cloudautomation:events:write WHERE cloudautomation:project = "project-name";

optional Depending on the policy statement you have defined, you can select different conditions as shown in the example of an approver with project restriction. See below for the conditions allowed for each policy statement.

Policy statement
Conditions
Description
cloudautomation:events:read
cloudautomation:project ¹, cloudautomation:stage, cloudautomation:service, cloudautomation:event
Permission to read events in Cloud Automation.
cloudautomation:events:write
cloudautomation:project, cloudautomation:stage, cloudautomation:service, cloudautomation:event
Permission to send events to Cloud Automation.
cloudautomation:projects:read
cloudautomation:project ¹
Permission to read projects in Cloud Automation.
cloudautomation:projects:write
cloudautomation:project
Permission to write or edit projects in Cloud Automation.
cloudautomation:projects:delete
cloudautomation:project
Permission to delete projects in Cloud Automation.
cloudautomation:stages:read
cloudautomation:project, cloudautomation:stage
Permission to read stages in Cloud Automation.
cloudautomation:services:read
cloudautomation:project, cloudautomation:stage, cloudautomation:service
Permission to read services in Cloud Automation.
cloudautomation:services:write
cloudautomation:project, cloudautomation:stage, cloudautomation:service
Permission to write or edit services in Cloud Automation.
cloudautomation:services:delete
cloudautomation:project, cloudautomation:stage, cloudautomation:service
Permission to delete services in Cloud Automation.
cloudautomation:resources:read
cloudautomation:project, cloudautomation:stage, cloudautomation:service
Permission to read resources stored in the Git repository.
cloudautomation:resources:write
cloudautomation:project, cloudautomation:stage, cloudautomation:service
Permission to write or edit resources stored in the Git repository.
cloudautomation:resources:delete
cloudautomation:project, cloudautomation:stage, cloudautomation:service
Permission to delete resources stored in the Git repository.
¹
On account of a known limitation, this condition doesn't work in the Cloud Automation frontend. Do not set this condition if the policy should control user interactions.

Policy statement
Description
cloudautomation:metadata:read
Permission to read the API token and metadata of Cloud Automation.
cloudautomation:logs:read
Permission to read logs of Cloud Automation.
cloudautomation:logs:write
Permission to write logs for Cloud Automation.
cloudautomation:integrations:read
Permission to read integrations used in Cloud Automation.
cloudautomation:integrations:write
Permission to write/edit integrations used in Cloud Automation.
cloudautomation:integrations:delete
Permission to delete integrations used in Cloud Automation.
cloudautomation:secrets:read
Permission to read secrets used in Cloud Automation.
cloudautomation:secrets:write
Permission to write secrets used in Cloud Automation.
cloudautomation:secrets:delete
Permission to delete secrets used in Cloud Automation.
Select Save.

Define a group

To define a group

Go to Account Management. If you have more than one account, select the account you want to manage.
Select Identity & access management > Groups.
Select Create group.
On Group details, name and describe the group, and then select Next.
On Group permissions, select any needed permissions and then select Next.
On Group policies, select the policies to assign to the group and then select Next.
On Permissions, review the group permissions. If you need to change anything, select Previous to return to a previous page.
When you are satisfied with the group permissions, select Create Group.

Assign a user to a group

You can add an existing or new user to a group.

To add an existing user to a group

Go to Account Management. If you have more than one account, select the account you want to manage.
Select Identity & access management > People.
Filter for the user and then select Edit user in the Actions column.
In the Groups section, select the group you created in Define groups and then select Next.
Select Save.

To add a new user to a group

Go to Account Management. If you have more than one account, select the account you want to manage.
Select Identity & access management > People.
Select Invite user.
On Enter email address, enter the new user's email address and optionally designate the user as an emergency contact, and then select Next.
On Add to groups, select the group you created in Define groups and then select Next.
On Confirm permissions, review the group selection. If you need to change anything, select Previous to go back and change your selections.
When you are satisfied with your selection for this user, select Invite.

Authenticate the Cloud Automation user

After assigning a user to a user group that contains at least a viewer permission, the user can authenticate on the Cloud Automation bridge

Open https://<YOUR-CLOUD-AUTOMATION-INSTANCE>/bridge, making sure to replace the placeholder (<YOUR-CLOUD-AUTOMATION-INSTANCE>) with your own value.