https://www.runatlantis.io/ logo
Title
s

Seth Floyd

04/26/2023, 3:20 PM
Ive been looking around before I came here to ask this but I didnt find anything helpful. For the Atlantis web ui I need my SRE team to be able to access it to clear plans and locks if needed but i dont want my devs to be able to do that. I just want them to be able to click details and see the job output on an Atlantis run. Any way to do this? I see there is the BasicAuth option in my values.yaml file but that means everyone has/shares that username and password.
p

PePe Amengual

04/26/2023, 3:40 PM
Basic auth is to access the UI
there is no concept of groups or users in the UI
you could deploy an oauth proxy in front but anyone will be able to click that button if they have access
b

Bruno Schaatsbergen

04/26/2023, 4:03 PM
Where do you exactly run Atlantis?
On Google Cloud you could secure it with IAP (Identity Aware Proxy), and then grant access to the Atlantis UI via a Google login.
☝️ 1
Which works very well and is easy to setup.
s

Seth Floyd

04/26/2023, 4:35 PM
Runs in an EKS cluster
j

Justin S

04/26/2023, 4:58 PM
so, my dev's have no access to atlantis
SRE can access the UI via Okta.
Dev's could potentially see logs in Loki or w/e'
but in general, there is nothing in the atlantis UI, that would assist a developer more then the errors/outputs they get back to them in gitlab
👍 1
p

PePe Amengual

04/26/2023, 5:00 PM
PRs are welcome
j

Justin S

04/26/2023, 5:01 PM
honestly, the only thing I think that would be benficial, would be some semblance of a
yes im still running i swear
n

Neil Davies

04/26/2023, 5:40 PM
@Seth Floyd we run ours in AWS with a WAF & ELB in front. The WAF allows the details of the plans to get piped back from
/jobs/*
to the github webhook
☝️ 1