Access & Permissions¶
Access You'll Need¶
| System | What to Request | Who Grants It |
|---|---|---|
GCP orofi-dev-cloud |
[NEEDS TEAM INPUT: role — e.g., roles/viewer or roles/container.developer] |
[NEEDS TEAM INPUT: team lead / GCP admin] |
GCP orofi-stage-cloud |
[NEEDS TEAM INPUT: role] | [NEEDS TEAM INPUT] |
Bitbucket oro-codebase workspace |
Read/write to relevant repos | [NEEDS TEAM INPUT] |
| ArgoCD | Developer role | [NEEDS TEAM INPUT] |
| Grafana | Viewer or Editor | [NEEDS TEAM INPUT] |
| GCP Secret Manager (read) | roles/secretmanager.viewer on specific secrets |
[NEEDS TEAM INPUT] |
GCP IAM Roles¶
User IAM bindings are managed via Terraform in infrastructure-management/modules/users-access/. To request access:
- [NEEDS TEAM INPUT: describe the request process — Jira ticket, Slack message to platform team, PR to
users-accessmodule?] - Specify: GCP project, resource(s), role, justification
Principle of Least Privilege
Request only the access you need. Service accounts should not be used for human access — request IAM bindings for your personal GCP identity instead.
Kubernetes Access¶
Kubernetes access is granted through GCP IAM — having the right role on the GCP project automatically grants access to the GKE cluster.
Typical roles needed:
- roles/container.viewer — read-only cluster access (view pods, logs)
- roles/container.developer — deploy and manage workloads
- roles/container.admin — full cluster administration (platform team only)
After getting GCP access, configure kubectl as described in Onboarding.
ArgoCD Access¶
ArgoCD defaults to role:readonly for all users. This allows viewing application state but not triggering syncs.
[NEEDS TEAM INPUT: how to request elevated ArgoCD access — editor/admin role for performing syncs and rollbacks.]
Secret Access¶
Secrets in GCP Secret Manager are access-controlled per secret. Microservices access secrets via Workload Identity (no human needs this). Human access to secrets is restricted and should be requested only for debugging:
roles/secretmanager.viewer— see secret names and metadata (not values)roles/secretmanager.secretAccessor— read secret values (restricted)
[NEEDS TEAM INPUT: process for temporary secret access during incidents.]
Grafana Access¶
Grafana is behind Google OAuth2. Anyone with an @orofi.xyz Google account can log in. Access levels:
- Viewer — default for everyone
- Editor — can modify dashboards
- Admin — can manage data sources and users
[NEEDS TEAM INPUT: how to request Editor/Admin access in Grafana.]
Firebase Access¶
The firebase-admin-sdk service account is used by the communication and identity microservices. Human access to Firebase is managed via the Firebase console.
[NEEDS TEAM INPUT: Firebase project name and access request process.]
Access Review¶
[NEEDS TEAM INPUT: describe the access review process — quarterly review, who is responsible, how unused access is removed.]
See Also¶
- Onboarding — complete setup guide
- Security Model — how IAM and secrets work
- Compliance — access matrix and audit requirements