Olympus Docs
CookbookTools

Use Olympus as the OIDC IdP for ArgoCD

Configure ArgoCD to authenticate users against Olympus IAM

Prerequisites

  • Olympus IAM running, reachable at https://iam.<your-domain>.
  • ArgoCD installed in your cluster.
  • IAM admin access to register the OAuth2 client.

Step 1: Register ArgoCD as an OAuth2 client in IAM

In Athena IAM → OAuth2 Clients → New Client:

  • Name: argocd
  • Client type: Confidential
  • Grant types: authorization_code, refresh_token
  • Response types: code
  • Scopes: openid, profile, email, groups
  • Redirect URIs:
    • https://argocd.<your-domain>/auth/callback
    • http://localhost:8085/auth/callback (for argocd CLI local login)
  • Token endpoint auth: client_secret_basic

Save. Note client_id and client_secret.

Step 2: Configure ArgoCD's argocd-cm ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://argocd.<your-domain>
  oidc.config: |
    name: Olympus
    issuer: https://iam.<your-domain>
    clientID: <client-id>
    clientSecret: $oidc.olympus.clientSecret    # references the secret below
    requestedScopes: ["openid", "profile", "email", "groups"]
    requestedIDTokenClaims:
      groups:
        essential: true

And the secret:

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
type: Opaque
stringData:
  oidc.olympus.clientSecret: <client-secret>

Apply both:

kubectl apply -f argocd-cm.yaml -f argocd-secret.yaml
kubectl rollout restart deployment argocd-server -n argocd

Step 3: Map IAM groups to ArgoCD permissions

ArgoCD reads groups from the ID token claims and maps to RBAC roles via argocd-rbac-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    g, argocd_admins, role:admin
    g, argocd_devs, role:readonly
  scopes: "[groups]"

Add the groups trait to your IAM identity schema (if not already):

"groups": { "type": "array", "items": { "type": "string" } }

Set groups: ["argocd_admins"] on the appropriate IAM identities via Athena.

Step 4: Test

Open https://argocd.<your-domain>. Click LOG IN VIA OLYMPUS. Authenticate via IAM Hera. Land in ArgoCD as the role mapped from your groups.

CLI login

argocd login argocd.<your-domain> --sso

This opens a browser to the OIDC flow; after login the CLI receives a token. Adds http://localhost:8085/auth/callback is required in the OAuth2 client config (step 1).

Onboarding a new developer

Get a new engineer productive on the Olympus codebase in a day

Use Olympus as OIDC IdP for AWS IAM Identity Center

Federate AWS SSO to Olympus

On this page

PrerequisitesStep 1: Register ArgoCD as an OAuth2 client in IAMStep 2: Configure ArgoCD's argocd-cm ConfigMapStep 3: Map IAM groups to ArgoCD permissionsStep 4: TestCLI loginRelated