Agent Tags
Based on the docs one should be able to restrict workers to specific workspaces using custom tags like “tag(workspace1)” as an example. I deployed a windows agent with a tag “ad-dev(infra)” but users in other workspaces are able to use that tag in their scripts. Please advise if this is not the correct path for me in trying to restrict which workspaces are allowed to use the windows agents I have configured.
16 Replies
Hi, what version of windmill are you on?
Did you actually try to run the job or just saw the tag available? Can you share the list of your custom tags
I am on cloud EE v1.541.1
I’ve run scripts on multiple workspaces to confirm I can use the agent worker tags to run the script. I only used the one tag “ad-dev(infra)” and the worker group listens for the same tag
@ZosoRiffs what url are you on? You can share in dm if you prefer
I think i figured out what i was doing wrong. I created new JWT for my agent with ad-dev-infra and added custom tag ad-dev-$workspace
Now I see the ad-dev-$workspace available to assign and it works for my infra workspace but not for my other test workspace. Success
Only thing that is confusing is the tag dropdown on the script shows hint that no workers are assigned the “ad-dev-$workspace” tag. Should I add that to the agent when generating the token?
I'm confused, did you never create a custom tag "ad-dev(infra)” ?
I did, that was assigned to my agents and existed in custom tags. But it was usable from my test workspace in addition to infra workspace
can you share your url, that should be impossible
i'm happy to test on your instance
I will dm
@ZosoRiffs did you do the test yourself and just switched workspace and are you superadmin?
Yes I am super admin and am able to run script in both workspaces
because if you are:
1) superadmins can do anything, even forbidden thing. You should test with a normal user
2) YOu need to click refresh on the tag list when switcihg workspace
But initially another user tested for me from their workspace
Is that other user also superadmin ?
not only it is checked in the frontend, it's also checked by the backend
No, I just checked they have the user role
it's normally impossible and would be a correctness issue, I will test on your instance asap