Help Center/ CodeArts Pipeline/ User Guide/ Configuring a Pipeline/ Configuring CodeArts Pipeline Delegate Permissions
Updated on 2025-10-10 GMT+08:00

Configuring CodeArts Pipeline Delegate Permissions

Scenarios

Create a delegate to authorize CodeArts Pipeline to access other cloud services, and configure delegate permissions for pipelines.

The following are the required permissions for running pipelines with or without a delegate:

  • Manual execution/Code event trigger from CodeArts Repo
    • No delegate: Use the identity and permissions of the user who executes the pipeline.
    • Delegate configured: Only the permissions for running the pipeline are required. The delegate identity and permissions are used to run tasks of other cloud services called in the pipeline.

  • Scheduled task/Webhook/Code event trigger from third-party repositories
    • No delegate: Use the identity and permissions of the last person who updated the pipeline.
    • Delegate configured: Use the identity and permissions of the delegate.

Advantages of a Delegate

Using a delegate has the following advantages:

  • Minimum permission principle: You can grant only the minimum permissions required for executing specific tasks in a pipeline. This reduces the risk of permission abuse.
  • Security: Using a delegate can effectively isolate user permissions and prevent personal credentials from being exposed in pipelines.
  • Maintainability: To change permissions, you only need to update the permissions of the delegate in IAM. You do not need to modify the permissions of each user.
  • Flexibility: Compared with individual identities, delegates can be applied to multiple projects and pipelines for easy management and reuse.
  • Audit and monitoring: CTS audits and monitors permission changes of a delegate to ensure operational compliance.
  • Teamwork: Delegate configuration simplifies permission management within a team, avoiding disruptions caused by individual user permission changes.
  • Automation: Delegate configuration facilitates automated processes and minimizes manual intervention.
  • Multi-environment support: You can easily manage permissions for different environments (such as development, testing, and production) by using different delegates, without the need to configure permissions for each user.

In conclusion, delegates can better support complex and dynamic DevOps pipeline processes.

Prerequisite

  • To configure a delegate for a single pipeline, you must have the permission to edit the pipeline. To configure a delegate for multiple pipelines, you must have the project creator or administrator permissions.
  • Before configuring a delegate, ensure that the delegate has sufficient role permissions in the CodeArts project. You can go to the pipeline page and choose Settings > Members in the left navigation pane to check the roles of the delegate, and choose Settings > Permissions to check the role permissions.

Creating a Default Delegate

If you do not have any delegate in your Huawei Cloud account, CodeArts Pipeline provides you with a default one.

  1. Log in to CodeArts with the tenant administrator account. The Authorization window is displayed.
  2. Select I grant the above permissions and click Confirm. The default delegate agency pipeline_admin_trust of is automatically created.

The default delegate has the permissions for accessing most cloud service resources required by CodeArts Pipeline. For details, see Table 1 Default delegate permissions.

Table 1 Default delegate permissions

Permission

Description

CodeArtsBuildAgencyFullPolicy

Permissions required for calling CodeArts Build, including OBS and SWR permissions.

CCE Administrator

Permissions required for calling Cloud Container Engine (CCE).

CODEARTSPIPELINEAgencyFullPolicy

Permissions for using the CodeArts Pipeline delegate.

CodeArtsDeployAgencyAccess

Permissions required for calling CodeArts Deploy, including permissions for ServiceStage, Application Performance Management (APM), and FunctionGraph.

CodeArtsDeployOBSAgencyAccess

Permissions related to OBS files required for calling CodeArts Deploy.

SWR Admin

Permissions related to SWR required for calling CodeArts Deploy.

Obtaining a Delegate URN

  1. Click the avatar in the upper right corner, select CodeArts Console.
  2. Search for Identity and Access Management in the upper search box to go to the IAM console.
  3. In the left navigation pane, choose Agencies.
  4. Search for the delegate name in the search box and click the name to check its details.

Configuring a Pipeline Delegate

You can configure a delegate for a single pipeline, multiple pipelines, or all pipelines.

Configuring a Delegate for a Single Pipeline

  1. Access the CodeArts Pipeline homepage.
  2. Search for the target pipeline, click in the Operation column, and select Edit. The pipeline orchestration page is displayed.
  3. Click Basic Information and set Agency URN. For details about how to obtain the delegate URN, see Obtaining a Delegate URN.

  4. After the configuration, click Save. A message is displayed, indicating that the delegate is created successfully.

Configuring a Delegate for Multiple Pipelines

  1. Access the CodeArts Pipeline homepage.
  2. On the pipeline list page, select desired pipelines, and click Set Delegate.

    Figure 1 Setting a delegate

  3. In the displayed window, enter the delegate URN and click OK. For details about how to obtain the delegate URN, see Obtaining a Delegate URN.

    Figure 2 Setting a delegate for multiple pipelines

Configuring a Delegate for All Pipelines

  1. Access the CodeArts Pipeline homepage.
  2. After the default delegate is created, go to the pipeline list page and click Set Delegate in the upper part.

  3. In the displayed window, enter the delegate URN and click OK. For details about how to obtain the delegate URN, see Obtaining a Delegate URN.

    Figure 3 Setting a delegate