AWS eks documentation change
Summary
Enhanced documentation for Argo CD role permissions and project configurations. Added clarifications for ADMIN/EDITOR/VIEWER role capabilities, emphasized global role mapping requirements, specified sourceNamespaces field in AppProject examples, and provided guidance on using Identity Center IDs instead of names.
Security assessment
Changes focus on access control best practices and configuration requirements (e.g., mandatory sourceNamespaces, Identity Center ID usage) but lack evidence of addressing a specific vulnerability. The updates strengthen security documentation by clarifying permission boundaries and reducing misconfiguration risks.
Diff
diff --git a/eks/latest/userguide/argocd-permissions.md b/eks/latest/userguide/argocd-permissions.md index 5fa8ae6b7..3c4403c3d 100644 --- a//eks/latest/userguide/argocd-permissions.md +++ b//eks/latest/userguide/argocd-permissions.md @@ -51,0 +52,2 @@ Full access to all applications and settings: + * List and access all clusters and repositories + @@ -64,0 +67,2 @@ Can create and modify applications but cannot change Argo CD settings: + * List and access all clusters and repositories + @@ -81,0 +86,4 @@ Read-only access to applications: + * List all projects (including projects the user is not assigned to) + + * Cannot list clusters or repositories + @@ -88,0 +97,4 @@ Read-only access to applications: +###### Note + +The VIEWER role provides limited visibility: users can see all projects but cannot list clusters or repositories. To grant access to specific applications, assign users to project-specific roles in addition to the global VIEWER role. + @@ -184,0 +197,6 @@ Use Argo CD Projects (AppProject) to provide fine-grained access control and res +###### Important + +Before assigning users or groups to project-specific roles, you must first map them to a global Argo CD role (ADMIN, EDITOR, or VIEWER) in the capability configuration. Users cannot access Argo CD without a global role mapping, even if they’re assigned to project roles. + +Consider mapping users to the VIEWER role globally, then grant additional permissions through project-specific roles. This provides baseline access while allowing fine-grained control at the project level. + @@ -208,0 +227,4 @@ Projects provide: + # Required: Specify which namespaces this project watches for Applications + sourceNamespaces: + - argocd + @@ -229,0 +252,4 @@ Projects provide: +###### Important + +The managed capability requires AppProject resources to specify `.spec.sourceNamespaces` to define which namespaces the project can watch for Applications. Typically, this should be set to the namespace you specified when creating the capability (usually `argocd`). + @@ -242 +268,4 @@ Users with EDITOR or VIEWER roles can be restricted to specific projects. ADMIN - # Map Identity Center groups to project roles + sourceNamespaces: + - argocd + + # Map Identity Center groups or users to project roles @@ -249 +278 @@ Users with EDITOR or VIEWER roles can be restricted to specific projects. ADMIN - - TeamADevelopers + - 686103e0-f051-7068-b225-e6392b959d9e # Identity Center group ID @@ -256 +285,6 @@ Users with EDITOR or VIEWER roles can be restricted to specific projects. ADMIN - - TeamAViewers + - 786203e0-f051-7068-b225-e6392b959d9f # Identity Center group ID + - 886303e0-f051-7068-b225-e6392b959da0 # Identity Center user ID also works + +###### Note + +Use Identity Center group IDs (not group names) in the `groups` field. You can also use Identity Center user IDs for individual user access. Find these IDs in the AWS Identity Center console or using the AWS CLI.