Configure Permissions for Argo CD Live Deployments

This article provides a step-by-step process for configuring permissions in Argo CD to enable secure integration with Digital.ai Release Live Deployments. You’ll learn how to set up RBAC, service accounts, API tokens, and best practices for both platforms.

Why configure permissions?

Proper permissions allow Release to monitor, trigger, and synchronize deployments with Argo CD, while maintaining security and compliance.

Configure Permissions in Argo CD

Argo CD uses Role-Based Access Control (RBAC) to manage access. You must log on to your Argo CD server (administrator access required) to perform these steps.

Set Up Application Permissions

Assign the following permissions to the service account or user used by Digital.ai Release:

# Minimum required permissions for live deployments
p, role:deployment-integration, applications, get, */*, allow
p, role:deployment-integration, applications, list, */*, allow
p, role:deployment-integration, applications, watch, */*, allow
p, role:deployment-integration, applications, sync, */*, allow
p, role:deployment-integration, applications, action/*, */*, allow

Configure Project-Level Access

For project-specific access, add these permissions:

Project-level permissions

p, role:deployment-integration, projects, get, *, allow
p, role:deployment-integration, repositories, get, *, allow
p, role:deployment-integration, clusters, get, *, allow

Generate API Token for Integration

Steps:

1. Log on to the Argo CD server.
2. Create a service account:

argocd account generate-token --account <service-account-name>

3. Assign the required role to the service account:

argocd proj role add-token <project-name> <role-name>

Token Permissions Scope

The generated token should allow:

• Read access: Monitor application status and configuration
• Sync access: Trigger synchronization
• Action access: Perform deployment actions

Update Argo CD RBAC Policy

Add the following to your argocd-rbac-cm ConfigMap:

argocd-rbac-cm ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    # Live Deployment Integration Role
    p, role:live-deployment, applications, get, */*, allow
    p, role:live-deployment, applications, list, */*, allow
    p, role:live-deployment, applications, watch, */*, allow
    p, role:live-deployment, applications, sync, */*, allow
    p, role:live-deployment, applications, action/*, */*, allow
    p, role:live-deployment, logs, get, */*, allow
    p, role:live-deployment, exec, create, */*, allow
    
    # Bind role to service account
    g, digital-ai-release, role:live-deployment
  policy.default: role:readonly

Configure Permissions in Digital.ai Release

Digital.ai Release uses roles and folder-level permissions. Ensure you have the following before integrating with Argo CD.

Set Up Global Permissions

You need one of:

• Admin or Release Admin global role
• Custom role with:
  • release.create (create releases)
  • release.edit (edit releases)
  • template.create (create templates)
  • template.edit (edit templates)

Configure Folder-Level Permissions

Required folder permissions:

• Create Release
• Edit Release
• View Release
• Create Template
• Edit Template
• Manage Folder Security (if applicable)

How to set:

1. Go to Settings > Folders
2. Select the folder
3. Click Teams
4. Assign permissions

Live Deployment Task & Connection Permissions

To configure Argo CD connections:

• Global: admin or connections.manage
• Actions: Create, edit, test, and view connections

For live deployment tasks:

• release.task.create
• release.task.edit
• release.task.transition
• release.task.viewReports

Create and Assign Service Account

Steps:

1. Log on to Digital.ai Release
2. Go to Settings > Users
3. Click Add User > Service Account
4. Configure:
   • Name: argocd-integration-service
   • Type: Service Account
   • Authentication: API Token
5. Assign roles:
   • Release Manager (release operations)
   • Folder Manager (specific folders)
   • Custom role with:
     • connections.manage
     • deployments.create
     • deployments.edit
     • deployments.view
     • deployments.execute

Generate and Manage API Tokens

Steps:

1. Log on to Digital.ai Release
2. Go to User Profile > API Tokens
3. Click Generate New Token
4. Configure:

• Name: ArgoCD Integration Token
• Expiration: per security policy
• Permissions: inherit from user role

Token Security Best Practices

• Rotate tokens regularly
• Use separate tokens for different environments
• Store tokens securely in Release’s credential store
• Monitor token usage with audit logs

Audit and Compliance

Permissions for monitoring deployments:

• audit.view: View audit logs
• reports.view: View deployment reports
• reports.create: Create custom reports

Enable compliance tracking for:

• Connection changes
• Deployment executions
• Permission modifications
• Failed authentication attempts

Best Practices

Follow these recommendations for both Argo CD and Release:

Security Recommendations

1. Principle of Least Privilege: Grant only necessary permissions
2. Role Segregation: Separate deployment and configuration roles
3. Regular Audits: Review permissions quarterly
4. Token Rotation: Automate token rotation
5. Environment Isolation: Use different service accounts per environment

Permission Matrix

Required permissions for common roles:

Role	ArgoCD Permissions	Digital.ai Permissions	Use Case
Deployment Operator	read, sync	release.execute, deployments.view	Execute deployments
Release Manager	read, sync, action	release., deployments.	Manage releases and deployments
Administrator	admin	admin	Full system administration
Viewer	read	release.view, deployments.view	Read-only access

References & Further Reading

• ArgoCD RBAC Documentation