You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a new step to the 'Configure the dashboard with IAM' section
documenting the minimal IAM permissions required for dashboard users.
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Copy file name to clipboardExpand all lines: docs/openfaas-pro/dashboard.md
+46-1Lines changed: 46 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -208,7 +208,52 @@ If you have enabled [Identity and Access Management (IAM) for OpenFaaS](/openfaa
208
208
When using an internal certificate authority or self-signed TLS certificates for the OpenFaaS gateway or your identity provider, the dashboard will needs a custom CA bundle for making HTTP requests to these components.
209
209
210
210
See: [Custom CA bundle for OpenFaaS IAM](/openfaas-pro/iam/overview/#custom-tls-certificate-authority-bundle)
211
-
211
+
212
+
5. Create an IAM policy for dashboard users
213
+
214
+
Users that need to access the dashboard require a minimum set of IAM permissions. Without these permissions the user will not be able to list namespaces or view functions through the dashboard.
215
+
216
+
The minimal policy for dashboard access requires the following actions:
217
+
218
+
- `Namespace:List`- Required to list and select namespaces in the dashboard.
219
+
- `Function:List`- Required to list functions within a namespace.
220
+
- `Function:Get`- Required to view function details and metrics.
221
+
- `Function:Logs`- Required to view function logs.
222
+
223
+
Example Policy for read-only dashboard access:
224
+
225
+
```yaml
226
+
apiVersion: iam.openfaas.com/v1
227
+
kind: Policy
228
+
metadata:
229
+
name: dashboard-readonly
230
+
namespace: openfaas
231
+
spec:
232
+
statement:
233
+
- sid: dashboard-ro
234
+
action:
235
+
- Namespace:List
236
+
- Function:List
237
+
- Function:Get
238
+
- Function:Logs
239
+
effect: Allow
240
+
resource: ["*"]
241
+
```
242
+
243
+
This policy can be scoped to specific namespaces if needed. For example, to restrict a user to only view functions in the `dev` namespace:
244
+
245
+
```yaml
246
+
resource: ["dev:*"]
247
+
```
248
+
249
+
For users that need more than read-only access, the following actions can be added to the policy:
250
+
251
+
- `Function:Invoke`- Allows users to invoke functions that have [Function Authentication](/openfaas-pro/iam/function-authentication/) enabled.
252
+
- `Function:Delete`- Allows users to delete functions through the dashboard.
253
+
254
+
Since these are write-level permissions, they could also be added to a separate policy and only granted to users who need them.
255
+
256
+
Assign the policies to any [Role](/openfaas-pro/iam/example-auth0/#bind-a-policy-to-a-role) that requires access to the dashboard.
0 commit comments