Do you guys have any guidance on how to set up an RBAC role to support micro gateway w/o having to use an org admin accout
HI folks!
I am wondering if Apigee has any guidance on how to avoid using Org Admin accounts to connect micro gateway to edge/private-cloud.
I dont want to distribute account information w/ that much power to my micro servers....
Best Answer
So as part of configuration aka wiring of edgemicro with an org, it deploys edgemicro-auth proxy which needs org admin credentials. But I hear what you are saying. Assuming edgemicro-auth is already deployed by org admins, one should be able to do the rest without requiring orgadmin credentials.
In mean time, I think what couple of other folks have done is use orgadmin credentials which updates agent's config.yaml, the updated config gets pushed to code repo which other folks then use.
can you move this to an answer? i think this will do it - we just have to model it.
Hi Benjamin,
Org admin credentials are only needed during initial setup. During run time, whoever needs to operate Microgateway only needs key and secret that gets generated during that initial setup by org admins.
So that means that i need to have a uid/pw of an org admin account deployed in a package, golden image, etc for automated deployments.
I understand that this is a "one time" use - but I am very much against distributing (even encrypted) uid/pw's in deployment packages. In fact i suspect i have a corporate security policy strictly forbidding it :)
on the other hand - I dont have one that prevents me from doing the same thing w/ some sort of limited permission set account.... which is why im asking this specific question.
So as part of configuration aka wiring of edgemicro with an org, it deploys edgemicro-auth proxy which needs org admin credentials. But I hear what you are saying. Assuming edgemicro-auth is already deployed by org admins, one should be able to do the rest without requiring orgadmin credentials.
In mean time, I think what couple of other folks have done is use orgadmin credentials which updates agent's config.yaml, the updated config gets pushed to code repo which other folks then use.
