I would like to create a user which should only push python wheels, i.e. from GitHub Actions. What minimal permissions or roles should I give/assign to this user so it can do this? Is there a documentation about this?
Yes, we have RBAC docs for pulp-python. [0] By default the upload (create action) uses this condition index_has_repo_perm:python.modify_pythonrepository which checks that the user has the modify permission on the backing repository. You can assign this permission by giving the user the python.pythonrepository_owner role (permissions come from roles), e.g. pulp user role-assignment add --username $USER --role python.pythonrepository_owner --object $PYTHON_REPO_HREF. You can also create a custom role to limit the permissions to only the necessary ones. pulp role create --name python.uploader --permission python.view_pythonrepository --permission python.modify_pythonrepository, then assign this custom role to your user.
1 Like
Thank you! I found that it works with β_ownerβ role assigned but from my point of view itβs too wide. Iβll try with custom role.
hm, I created the following role:
β― pulp role show --name build.agent
{
"pulp_href": "/pulp/api/v3/roles/01977e11-55cb-7593-be20-1bff149431ac/",
"prn": "prn:core.role:01977e11-55cb-7593-be20-1bff149431ac",
"pulp_created": "2025-06-17T13:25:54.763982Z",
"pulp_last_updated": "2025-06-17T14:02:51.355163Z",
"name": "build.agent",
"description": "A role for build-agent",
"permissions": [
"python.modify_pythonrepository",
"python.view_pythonrepository"
],
"locked": false
}
and assigned it to the user:
β― pulp user role-assignment list --username build.agent
[
{
"pulp_href": "/pulp/api/v3/users/3/roles/01977e1e-c019-771b-93f7-4d381f781eaf/",
"prn": "prn:core.userrole:01977e1e-c019-771b-93f7-4d381f781eaf",
"pulp_created": "2025-06-17T13:40:33.946069Z",
"pulp_last_updated": "2025-06-17T13:40:33.946090Z",
"role": "build.agent",
"content_object": null,
"content_object_prn": null,
"description": "A role for build-agent",
"permissions": [
"python.modify_pythonrepository",
"python.view_pythonrepository"
],
"domain": "/pulp/api/v3/domains/51208b16-a9ac-44a9-9eb0-6e821573b3e1/"
}
]
but still getting 403 error
β― twine upload --repository-url "https://repo.example.org/pypi/example/simple/" -u build.agent -p password "./dist/*" --verbose
Uploading distributions to https://repo.example.org/pypi/example/simple/
INFO ./dist/zfsup-1.2.3-py3-none-any.whl (19.4 KB)
INFO ./dist/zfsup-1.2.3.tar.gz (22.1 KB)
INFO username set by command options
INFO password set by command options
INFO username: build.agent
INFO password: <hidden>
Uploading zfsup-1.2.3-py3-none-any.whl
100% ββββββββββββββββββββββββββββββββββββββββ 28.2/28.2 kB β’ 00:00 β’ 127.5 MB/s
INFO Response from https://repo.example.org/pypi/example/simple/:
403 Forbidden
INFO {"detail":"You do not have permission to perform this action."}
ERROR HTTPError: 403 Forbidden from https://repo.example.org/pypi/example/simple/
Forbidden
the file is exists already and with _owner permissions Iβm getting 400 which is expected:
INFO Response from https://repo.example.org/pypi/example/simple/:
400 Package zfsup-1.2.3-py3-none-any.whl already exists in index
ERROR HTTPError: 400 Bad Request from https://repo.example.org/pypi/example/simple/
Package zfsup-1.2.3-py3-none-any.whl already exists in index
I managed it. --object $PYTHON_REPO_HREF should be provided for role-assignment command.
2 Likes