Site-admin access to internal instances (dotcom, s2, rctest, demo, k8s) is provided through an auto-approved Entitle workflow. It will create a short-lived admin account that lasts 1h. Removing long-lived admin accounts largely reduces the risk of compromised credentials across our instances.
Internal instances use the same login method for site-admin access to customer Cloud instances: Sourcegraph Operator Auth Provider (SOAP). Any employee can request site-admin access for up to 12h with automatic approval.
For sourcegraph.com use the following instructions (or substitute the URL and Entitle request for other instances)
- In Entitle request the
Dotcom site admin permission. You may do this using the
/access_requestSlack command or this pre-filled request.
- Go to https://sourcegraph.com/sign-in?sourcegraph-operator
- Click on Other login methods
- Click on Continue with Sourcegraph Operators
- Authenticate with Okta
Here is a Loom video demonstrating the process:
If you use your Sourcegraph email as a verified email in a dotcom account, you may see the following error:
The retrieved user account lifecycle has already expired, please re-authenticate.
If this is the case, do the following steps:
- Sign out of sourcegraph.com.
- Sign in using “Continue with Google”.
- Sign out.
- Follow the steps in the
How it workssection
Q: What happens with my existing Sourcegraph accounts?
- A: If your existing account is a site-admin, it will be demoted to regular user. No existing user accounts will be deleted.
Q: How can I use my regular account as a site-admin?
- A: Add your Sourcegraph email, matching Okta, as a verified email to your existing account. After requesting SOAP access it will be granted (and later removed) from your account.
Q: What happens with tokens created during the elevated privilege window?
- A: Those will get revoked after 1h since the SOAP account with elevated privileges is deleted.
Q: Will my token survive the 1h TTL if I renew with Entitle?
- A: No, they will be revoked after 1h.
Q: How can I create a long-lived admin account for automation purposes?
- A: For long-lived admin accounts needed for automation, reach out to in the #discuss-security channel.