Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google SSO Authentication Permissions Not Working in Argo CD #21668

Open
artmimois opened this issue Jan 25, 2025 · 0 comments
Open

Google SSO Authentication Permissions Not Working in Argo CD #21668

artmimois opened this issue Jan 25, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@artmimois
Copy link

artmimois commented Jan 25, 2025
edited
Loading

Describe the bug

When logging in via Google SSO, user permissions are not working correctly despite proper RBAC configuration. While authentication is successful, the user account appears to not exist in the system ("account does not exist" error) and has no admin permissions even though they are explicitly granted in the RBAC configuration.

To Reproduce

  1. Configure Argo CD with Google SSO authentication and RBAC as shown in the configurations below
  2. Log in via SSO:
argocd login argocd-staging.mycompany.com --sso --grpc-web
  1. Try to verify account and permissions:
argocd account get
argocd account can-i delete applications '*/*'

Current Configuration

argocd-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  admin.enabled: "true"
  url: https://argocd-staging.mycompany.com
  dex.config: |
    connectors:
      - type: google
        id: google
        name: Google
        config:
          clientID: 7857791-idn5ql0t7sl6mncvel0t7sl0t7sl6mnp5068e.apps.googleusercontent.com #client id is fake
          clientSecret: $dex.google.clientSecret
          redirectURI: https://argocd-staging.mycompany.com/api/dex/callback
          hostedDomains:
            - mycompany.com
          groups:
            - [email protected]

argocd-rbac-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    p, role:admin, *, *, */*, allow
    g, [email protected], role:admin

Expected behavior

  1. After successful SSO login, the user account should exist in the system
  2. The user should have admin permissions as defined in the RBAC configuration
  3. The user should be able to perform admin operations (create/delete applications, terminate sync, etc.)

Actual behavior

  1. SSO authentication succeeds:
Authentication successful
'[email protected]' logged in successfully
  1. Account appears to not exist:
argocd account get
FATA[0000] rpc error: code = NotFound desc = account '[email protected]' does not exist
  1. No admin permissions despite RBAC configuration:
argocd account can-i delete applications '*/*'
no

Version Information

argocd: v2.11.4+e1284e1
  BuildDate: 2024-07-02T23:16:22Z
  GitCommit: e1284e19e03c9abab2ea55314b14b1e0381c4045
  GitTreeState: clean
  GoVersion: go1.22.4
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.10.9+c071af8
  BuildDate: 2024-04-30T15:53:28Z
  GitCommit: c071af808170bfc39cbdf6b9be4d0212dd66db0c
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.14.3+gf03cc04
  Kubectl Version: v0.26.11
  Jsonnet Version: v0.20.0
@artmimois artmimois added the bug Something isn't working label Jan 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@artmimois