Authentication and Authorization
Configure a Spinnaker Manual Judgment pipeline stage to propagate authentication. ISD and Spinnaker™ provide the same authentication and authorization functionality. The Spinnaker documentation contains detailed instructions on how to set up both.
The Spinnaker documentation explains how to restrict users' access to "accounts" and "applications," but it doesn’t go into the specifics about how the two interact.
If you have access to an application, you can view the pipelines and manually execute them even if you only have "read-only" access. Regardless of your type of permissions, you can run a pipeline. However, if those pipelines interact with your cloud environments (e.g deploying a manifest), you need read/write access to those environments. If you don’t have write permissions, the stages that attempt to write changes to the environment will fail. However, “Manual Judgement stages” are an exception. You can configure Manual Judgement stages to “Propagate Authentication”:
When you check this box, the pipeline will use the identity and authorizations of the user who approved the stage for all subsequent stages. You can allow users with limited access to safely kick off pipelines by inserting a Manual Judgment stage with this option enabled before the actual deployment; after approval, a user with full access to the environment can successfully continue the pipeline.