Different parts of our organisation need to be restricted to different permissions within our AWS accounts. Currently those permissions are granted to BK agents, via the instance profiles of the EC2 on which they run.
The problem is there appears to be no way to restrict usage of agents within a BK organisation.
To achieve hard separation (e.g. between “admin” and “non-admin” AWS activity) we have resorted to creating two BK organisations each with their own agent pool (the agent EC2s having been configured with suitable IAM profiles).
That does not solve all our problems though - non-admins still need to be able to monitor admin builds, so need to be in the admin org. Even if we set those users to be Read Only for the existing pipelines, merely by being in the admin org it allows them to create new pipelines, which grants them access to the admin agents…something we cannot allow.
The missing BK feature seems to be either:
- a way to stop users from being able to create new pipelines (not just be Read Only on existing)
- a way to restrict access to agent queues
The latter is probably the more powerful, but even the first solution would unblock us and might be easier to implement.