You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Something is broken with service account query: query get_system_account{ serviceAccounts(serviceAccountUuid:"ckn09stlt26041rkjuzg9rz3n", entityType:DEPLOYMENT){ id, label, roleBinding{ id, role } } }
which outputs with:
3. But fortunately we can query with update mutation :) : mutation update_role_binding { updateServiceAccount(serviceAccountUuid:"ckmumddi889361qk1il2k0ij7", payload: { roleBinding: { role:SYSTEM_ADMIN } } ){ id, label, roleBinding{ id, role }, active } } Output looks ok, we are SYSTEM_ADMIN:
4. Now lets create a workspace: mutation CreateWorkspace { createWorkspace( label:"TestingWorkspaceFromAPI", description:"Created with system service account." ){ id, label } } and we are successful with that:
5. But this is where we are bumping into problem, service account is no longer a system service account, it's role binding has switched to WORKSPACE_ADMIN:
This makes usability of system service account very limited. Plus there is a problem with service listing in CLI as well - same issue with undefined roleBindings.
Is this something known and planned to be fixed?
I've didn't noticed that I was running not the latest version :/ In v0.23.12 system service account seems to work fine. However there is still a problem with query get_system_account{ serviceAccounts(serviceAccountUuid:"ckn09stlt26041rkjuzg9rz3n", entityType:DEPLOYMENT){ id, label, roleBinding{ id, role } } } It still complains about rolebindings being undefined.
The text was updated successfully, but these errors were encountered:
@burandobata Is this still a problem for you? Version 0.23 is not supported anymore, but if the problem still exists we'd like to fix it. @bote795 can you peek at this?
It looks like permissions of system service account are being degraded after it will create a workspace or deployment.Here is the whole process that is 100% reproducible:1. create a service account:mutation CreateSystemServiceAccount { createSystemServiceAccount(label: "system_service", role: SYSTEM_ADMIN, category: "admin") { apiKey, id, label, active, category, createdAt, updatedAt, entityType, entityUuid, roleBinding{ id, role, user{ id, username, status }, workspace{ id, label }, createdAt, deployment{ id, label }, serviceAccount{ id, label, entityType } }, workspaceUuid, deploymentUuid } }
You will receive output like:query get_system_account{ serviceAccounts(serviceAccountUuid:"ckn09stlt26041rkjuzg9rz3n", entityType:DEPLOYMENT){ id, label, roleBinding{ id, role } } }
which outputs with:
3. But fortunately we can query with update mutation :) :mutation update_role_binding { updateServiceAccount(serviceAccountUuid:"ckmumddi889361qk1il2k0ij7", payload: { roleBinding: { role:SYSTEM_ADMIN } } ){ id, label, roleBinding{ id, role }, active } }
Output looks ok, we are SYSTEM_ADMIN:4. Now lets create a workspace:mutation CreateWorkspace { createWorkspace( label:"TestingWorkspaceFromAPI", description:"Created with system service account." ){ id, label } }
and we are successful with that:5. But this is where we are bumping into problem, service account is no longer a system service account, it's role binding has switched to WORKSPACE_ADMIN:This makes usability of system service account very limited. Plus there is a problem with service listing in CLI as well - same issue with undefined roleBindings.Is this something known and planned to be fixed?I've didn't noticed that I was running not the latest version :/ In v0.23.12 system service account seems to work fine. However there is still a problem with
query get_system_account{ serviceAccounts(serviceAccountUuid:"ckn09stlt26041rkjuzg9rz3n", entityType:DEPLOYMENT){ id, label, roleBinding{ id, role } } }
It still complains about rolebindings being undefined.The text was updated successfully, but these errors were encountered: