Skip to content

Commit c499b2b

Browse files
adela-bytebaseCopilot
adela-bytebase
and
Copilot
authored
docs: update gitops service agent role (#946)
* update gitops service agent role * Update mintlify/snippets/tutorials/create-service-account-gitops.mdx Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]>
1 parent 10b3d5a commit c499b2b

File tree

3 files changed

+28
-39
lines changed

3 files changed

+28
-39
lines changed

mintlify/administration/roles.mdx

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ Bytebase provides two types of roles:
3232
- `Project Releaser` - Approve and release changes
3333
- `SQL Editor User` (formerly `Project Querier`) - Query in SQL Editor; export results directly from the Editor
3434
- `Project Viewer` - Read-only access
35+
- `GitOps Service Agent` - Automated CI/CD workflows to create and execute database changes via GitOps
3536

3637
#### Custom Roles
3738

@@ -130,22 +131,22 @@ By default, the first registered user is granted the `Admin` role, all following
130131

131132
Any user can create project. By default, the project creator is granted the `Project Owner` role. `Workspace DBA` and `Workspace Admin` assume the `Project Owner` role for all projects.
132133

133-
| Project Permission | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
134-
| ---------------------------- | --------------- | ----------------- | ------------- | ------------- | --------------- |
135-
| Change project role | | | ✔️ | ✔️ | ✔️ |
136-
| Edit project | | | ✔️ | ✔️ | ✔️ |
137-
| Archive project | | | ✔️ | ✔️ | ✔️ |
138-
| Configure UI/GitOps workflow | | | ✔️ | ✔️ | ✔️ |
134+
| Project Permission | SQL Editor User | Project Developer | Project Releaser | GitOps Service Agent | Project Owner | Workspace DBA | Workspace Admin |
135+
| ---------------------------- | --------------- | ----------------- | ---------------- | -------------------- | ------------- | ------------- | --------------- |
136+
| Change project role | | | | | ✔️ | ✔️ | ✔️ |
137+
| Edit project | | | | | ✔️ | ✔️ | ✔️ |
138+
| Archive project | | | | | ✔️ | ✔️ | ✔️ |
139+
| Configure UI/GitOps workflow | | | | | ✔️ | ✔️ | ✔️ |
139140

140141
### Database Permissions
141142

142143
Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user's Workspace role and the role of the project owning the database.
143144

144-
| Database Permission | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
145-
| ------------------- | --------------- | ----------------- | ------------- | ------------- | --------------- |
146-
| Query | ✔️ | | ✔️ | ✔️ | ✔️ |
147-
| Edit database label | | | ✔️ | ✔️ | ✔️ |
148-
| Transfer database | | | ✔️ | ✔️ | ✔️ |
145+
| Database Permission | SQL Editor User | Project Developer | Project Releaser | GitOps Service Agent | Project Owner | Workspace DBA | Workspace Admin |
146+
| ------------------- | --------------- | ----------------- | ---------------- | -------------------- | ------------- | ------------- | --------------- |
147+
| Query | ✔️ | | | | ✔️ | ✔️ | ✔️ |
148+
| Edit database label | | | | | ✔️ | ✔️ | ✔️ |
149+
| Transfer database | | | | | ✔️ | ✔️ | ✔️ |
149150

150151
### Sheet Permissions
151152

@@ -184,13 +185,13 @@ User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always bel
184185

185186
### Issue Permissions
186187

187-
| Issue Permission | Assignee | Creator | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
188-
| ------------------------- | -------- | ------- | --------------- | ----------------- | ------------- | ------------- | --------------- |
189-
| Create issue | N/A | N/A | | ✔️ | ✔️ | ✔️ | ✔️ |
190-
| Change issue status | ✔️ | | | | Depends\* | ✔️ | ✔️ |
191-
| Edit name and description | ✔️ | ✔️ | | | | ✔️ | ✔️ |
192-
| Edit SQL Statement | | ✔️ | | | | | |
193-
| Subscribe/Unsubscribe | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
194-
| Add comment | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
188+
| Issue Permission | Assignee | Creator | SQL Editor User | Project Developer | Project Releaser | GitOps Service Agent | Project Owner | Workspace DBA | Workspace Admin |
189+
| ------------------------- | -------- | ------- | --------------- | ----------------- | ---------------- | -------------------- | ------------- | ------------- | --------------- |
190+
| Create issue | N/A | N/A | | ✔️ | | ✔️ | ✔️ | ✔️ | ✔️ |
191+
| Change issue status | ✔️ | | | | ✔️ | ✔️ | Depends\* | ✔️ | ✔️ |
192+
| Edit name and description | ✔️ | ✔️ | | | | | | ✔️ | ✔️ |
193+
| Edit SQL Statement | | ✔️ | | | | | | | |
194+
| Subscribe/Unsubscribe | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | ✔️ | ✔️ | ✔️ |
195+
| Add comment | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | ✔️ | ✔️ | ✔️ |
195196

196197
\* `Project Owner` can change issue status when the current active [Environment Rollout Policy](/change-database/environment-policy/rollout-policy) is set to **Require manual rolling out**.

mintlify/gitops/best-practices/sql-review-and-security.mdx

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,10 +84,14 @@ Create dedicated service accounts for CI/CD:
8484

8585
**Service account setup:**
8686
1. Create service account in Bytebase
87-
2. Grant minimum required permissions
87+
2. Grant the `GitOps Service Agent` role for automated CI/CD workflows
8888
3. Store token in CI/CD secrets
8989
4. Rotate tokens regularly
9090

91+
<Tip>
92+
The `GitOps Service Agent` role is specifically designed for CI/CD integrations with minimal permissions required for automated deployments.
93+
</Tip>
94+
9195
<Card title="API Authentication" icon="key" href="/integrations/api/authentication">
9296
Learn about service account authentication
9397
</Card>

mintlify/snippets/tutorials/create-service-account-gitops.mdx

Lines changed: 3 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,4 @@
1-
import CreateServiceAccount from '/snippets/tutorials/create-service-account.mdx';
1+
1. Log in as `Workspace Admin`, and go to **IAM & Admin** > **Users & Groups**. Click **+ Add User**, fill in with `api-sample`, and assign the `Workspace Member` and `GitOps Service Agent` roles, which are sufficient for this tutorial, then click **Confirm**.
22

3-
<CreateServiceAccount />
4-
5-
If you have **Enterprise Plan**, you can create a **Custom Role** for the service account which require fewer permissions, and assign this role instead of DBA:
6-
7-
- plans.create
8-
- plans.get
9-
- plans.preview
10-
- releases.check
11-
- releases.create
12-
- releases.get
13-
- rollouts.create
14-
- rollouts.get
15-
- rollouts.list
16-
- sheets.create
17-
- sheets.get
18-
- taskRuns.create
19-
- planCheckRuns.list
20-
- planCheckRuns.run
3+
1. Find the newly created service account and **Copy Service Key**. We will use this token to authenticate the API calls.
4+
![service-account-key](/content/docs/tutorials/share/service-account-key.webp)

0 commit comments

Comments
 (0)