Hello, I have been using Fly.io for a while now at my company and really love the simplicity and defaults that the platform has.
We have recently expanded the team and brought on a few interns. I want to let the interns access some parts of fly such as get access to the sentry instance and view logs, but I want to lock down their capabilities such as preventing them from deploying excess apps or messing with secrets.
I was trying to see what the difference between a member and an admin is in an organization and seeing if I can tweak permissions more, but couldn’t find any documentation or threads on it.
Appreciate any help here or documentation that I might have missed
At the moment there’s not much difference between admin and member. I believe it’s really just that admin can add members but members can’t.
Unfortunately there’s currently no way to restrict what members can do in an organisation.
If you’re wanting to give your interns access to staging apps but not production apps then one method is to create a separate organisation for each environment. This keeps environments isolated and lets you give interns access to staging environments without worrying about production.
Hi @marshmalon, regarding the difference between admins and members in an organisation: admins can invite new members, manage billing and delete the organisation (where members cannot do any of these things). So this difference alone won’t meet your needs.
However, have you had a look at the docs for tokens? Specifically, you can use flyctl tokens create readonly to get a read-only organisation-scoped API access token. This token can be used to view logs as follows: flyctl logs -a APP_NAME -t ACCESS_TOKEN.
For Sentry, you can invite the user and set permissions within Sentry - access is not controlled by Fly tokens.
Thanks for the details didn’t see the stuff about readonly tokens so may investigate that as an option.
As for the sentry that is natively built into fly.io or rather provided by fly recently it is requiring a log in with fly. So when I tried to invite my interns to that manually without adding them too the fly organization they are unable to access it. I am also unable to disable the login with fly option in the sentry settings.
Ah sorry you’re absolutely right. The best suggestion I can give at the moment is to sign up for Sentry separately if you have explicit permissions needs.