Sourcegraph employees access to managed instances application interface (Web UI) is restricted to essential personnel only. This ensures Sourcegraph is able to help customers troubleshoot issues and deliver a smooth experience. We utilize OpenID Connect to enable Sourcegraph employees access to customer instance to make sure there is an audit trail for every access.
All Managed Instances (internal, trial and paid) have OIDC OKTA access enabled by:
- OKTA web application is created via terraform code for each Managed Instance module.
- OIDC OKTA configuration is added to Managed Instance during initialisation process from GSM.
- Sourcegraph employees accounts are created and promoted to site admins for given instance.
- Every hour configuration is synchronised via Github Action.
- Every instance has a Sourcegraph Admin user added during initialisation of Managed Instance. This admin user has username, password and token stored in Managed Instance GCP Secret Manager. This token is used to access Managed Instance from
mg cli. For customers, who did not disable OIDC the token is used to impersonate user invoking action on Managed Instance, otherwise action is invoked as Sourcegraph Admin user.
Unless customer explicitly disabled OIDC on Managed Instance
OIDC OKTA access is disabled on instance when explictly asked by customer via configuration flag
disableSourcegraphManagementAccess: true in
Every essential Sourcegraph personnel will effectively be an actual user in the customer instance, so they will be counted toward in the license seat count. However, we allocated addition 10 seats in the license to accommodate the seats used by internal Sourcegraph teammates with Site Admin access.