Site-admin access to internal instances

Site-admin access to internal instances (dotcom, s2, rctest, demo, k8s) is provided through an auto-approved Entitle workflow. It will create a short-lived admin account that lasts 1h. Removing long-lived admin accounts largely reduces the risk of compromised credentials across our instances.

How it works

Internal instances use the same login method for site-admin access to customer Cloud instances: Sourcegraph Operator Auth Provider (SOAP). Any employee can request site-admin access for up to 12h with automatic approval.

For sourcegraph.com use the following instructions (or substitute the URL and Entitle request for other instances)

  1. In Entitle request the Dotcom site admin permission. You may do this using the /access_request Slack command or this pre-filled request.
  2. Go to https://sourcegraph.com/sign-in?sourcegraph-operator
  3. Click on Other login methods
  4. Click on Continue with Sourcegraph Operators
  5. Authenticate with Okta

Here is a Loom video demonstrating the process:


Troubleshooting

If you use your Sourcegraph email as a verified email in a dotcom account, you may see the following error:

The retrieved user account lifecycle has already expired, please re-authenticate.

If this is the case, do the following steps:

  1. Sign out of sourcegraph.com.
  2. Sign in using “Continue with Google”.
  3. Sign out.
  4. Follow the steps in the How it works section

FAQ

  • Q: What happens with my existing Sourcegraph accounts?

    • A: If your existing account is a site-admin, it will be demoted to regular user. No existing user accounts will be deleted.

  • Q: How can I use my regular account as a site-admin?

    • A: Add your Sourcegraph email, matching Okta, as a verified email to your existing account. After requesting SOAP access it will be granted (and later removed) from your account.

  • Q: What happens with tokens created during the elevated privilege window?

    • A: Those will get revoked after 1h since the SOAP account with elevated privileges is deleted.

  • Q: Will my token survive the 1h TTL if I renew with Entitle?

    • A: No, they will be revoked after 1h.

  • Q: How can I create a long-lived admin account for automation purposes?

    • A: For long-lived admin accounts needed for automation, reach out to in the #discuss-security channel.