Limit use of artifact accounts


#1

I’m trying to set up artifact accounts in 1.8.5 for gitlab and gcs. I noticed that there’s very few options for adding the accounts in halyard. I’m looking for a way to limit the artifact accounts somehow so that not every user can select all the configured artifact accounts.

I’m hoping to have some kind of separation of artifact accounts per project/application. The documentation implies that this is possible but I haven’t found tips on how to do it

Is there a way to accomplish this or is the only use case for artifacts to have one global account to be shared by all?

Thanks in advance for help


#2

Hi @trissanen, at the present time there’s no way to segregate access to artifacts in Spinnaker. This is definitely a concern that we share and it’s a feature that we’re actively looking into. The current thinking is that we’ll expand Fiat to encompass Artifacts and thereby enable access control for them but the implementation details haven’t been nailed down yet.


#3

thanks for the clarification @sbws. I’m trying to find a way to workaround this issue. Do you know if the artifacts themselves live in the application scope? Meaning, can another pipeline override an artifact from another pipeline?


#4

@trissanen: I’m not sure I understand what you mean by having a pipeline override an artifact from another pipeline. In general a particular artifact is specific to a pipeline; it’s passed between stages of a pipeline but not across pipelines (except in the case where a pipeline is itself a stage of a parent pipeline).

What is passed around in Spinnaker is really just a reference to an external object; it’s only at the point where an artifact is used that it’s actually fetched from the external system (using the credentials associated with the artifact account).


#5

Thanks @ezimanyi. I still haven’t managed to make a working example of producing artifacts so I haven’t been able to test this properly.

My main concern was if one team is able to screw up another team’s deployment by using the same artifact name (which seems to be just an arbitrary string. As we can’t seem to be able to separate the teams with artifact accounts…

But if artifacts exist only in the scope of one pipeline we can configure a shared global artifact account and let teams use that and that would be just fine for our use case


#6

But if artifacts exist only in the scope of one pipeline we can configure a shared global artifact account and let teams use that and that would be just fine for our use case

That’s exactly right – you can think of the artifact as a pointer scoped to that particular execution.