Skip to main content

How to create an AWS Identity Center Application for ArgoCD

In order to authenticate with ArgoCD, we recommend using an AWS IAM Identity Center SAML Application. These apps can use existing Identity Center groups that we've already setup as part of the Identity layer.

Create AWS Identity Center Applications

  1. For each dev, staging, and prod in the plat tenant, create an IAM Identity Center Application.

  2. Use the 'callback' url of eks/argocd for both the ACS URL and the SAML Audience fields. For example, https://argocd.use1.dev.plat.acme-svc.com/api/dex/callback. This should be your service domain.

  3. Next, update the custom SAML application attributes:

    NameValueType
    Subject${user:subject}persistent
    email${user:email}unspecified
    groups${user:groups}unspecified
  4. Now assign AWS Identity Center groups to the SAML app. If you ever recreate the groups, you'll need to go back to the SAML application and remove/re-add the group.

  5. Record the IDs of each group you assigned. If you've recently updated the groups, you'll likely need to redo this step as group IDs change on any significant updates.

  6. Update the config for eks/argocd to use the given AWS Identity Center groups groups:

    components:
    terraform:
    eks/argocd:
    vars:
    # Note: the IDs for AWS Identity Center groups will change if you alter/replace them:
    argocd_rbac_groups:
    - group: deadbeef-dead-beef-dead-beefdeadbeef
    role: admin
    - group: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
    role: reader
  7. Finally, for each stage run atmos terraform deploy sso-saml-provider -s plat-use1-{ stage }

Tip

If you get any errors using AWS SSO, make sure the Subject attribute is set to persistent and connect to the cluster with set-cluster plat-{ region }-{ stage } admin && kubens argocd and then delete the dex pod to reset it.

References