Assuming different roles when running tw CLI commands
evaluating
C
Crimson Koala
In the Seqera Platform, I am an
Owner
role. On a separate EC2 instance, I've set up the tw CLI using my personal access token so I can run things like tw launch
programatically. As an
Owner
, I was wondering if there is a way to assume a different role (among the 5 roles - Owner
, Admin
, Maintain
, Launch
, View
) with tw CLI without explicitly changing my role in the Seqera Platform? So basically, a command like:tw launch --assume-role maintain ...
This would be extremely useful because we need to verify the privileges of each role - e.g., that the
Maintain
role cannot modify Compute environment and Credentials - and it would be best if we could do this programatically with the tw CLI.If there is another method of doing this that you could suggest, that would be great as well. Otherwise, we will need to log into the Seqera Platform as each of these roles and test these privileges manually, one-by-one.
C
Charcoal Mandrill
I just wanted to point out;
> Otherwise, we will need to log into the Seqera Platform as each of these roles and test these privileges manually, one-by-one.
If you are using something like the enterprise OIDC for your Seqera Platform, this is not even possible. Its not possible to log in to any other Seqera Platform user accounts when you are required by your institution to only allow access to Platform via OIDC which is tied to a user's company user account with AD etc. applied.
So this situation is even worse in enterprise settings where there seems to be no actual way for any of the Seqera Platform admins to verify that the user access controls to various resources inside Platform are actually working as intended to limit users' ability to access and modify these resources.
If there's some way to do this I would love to know and I think it would correspond to the feature request being asked for here.
Rob Newman
evaluating
Rob Newman
acknowledged
Rob Newman
Hello Crimson Koala: This has been logged as a feature enhancement on the Tower CLI Github repository
Rob Newman
Hello Crimson Koala: The Tower CLI leverages the Seqera API functionality and currently there is no "impersonate user" or "assume role" mechanism on the Seqera API. We will investigate the feasibility of this.