Recently I was adding SSL support for our production servers. Our tentacles are running under limited rights(service accounts).
Is this possible, because I looked into the script Octopus.Features.IISWebSite_BeforePostDeploy and it is failing when creating the new-item on line 144. I think this is because the module was not imported correctly as well. The PSDrive is not created and then it is eventually throwing the following:
ErrorMessage=Attempting to perform the NewItem operation on the ‘WebAdministration’ provider failed for the path ‘somepathhere’ Access is denied, what is quite confusing.
Is there a workaround for this? Or should I switch all my tentacles to run under “Local System”?
Thanks for getting in touch! This sounds like the account that the Tentacle is currently running under lacks the permissions required to create the new item. It is best practice to run your Tentacle as the Local System account or a custom user with the following permissions.
Every process within a Tentacle is executed by the user account configured on the Octopus Tentacle service.
Let me know if this helps, or if you have any further questions.
We are working in a little bit of a restricted environment and I’ve tested a couple of scenarios. I think the user account also needs to be allowed “To log on locally” and get for example PowerUser or Administrator assigned to be elevated for this. Yet that is what I do not want to give, because it should be a restricted account as well.
For now I will run the tentacles under Local System. In my opinion that is not the best practice, because this account has way more rights of course.
Sorry for the late reply! You are able to use your own user, you will need to set the permissions below as a minimum for deployments to run:
Full control: The Octopus "Home" folder, e.g. C:\Octopus
Full control: The Octopus Tentacle Windows Service
Listen: Port 10933
Read: The HLKM\Software\Octopus\Tentacle registry key
Additional permissions will be necessary depending on the kinds of deployments Tentacle will perform (e.g. IIS configuration and so-on).
The service account where I configured the agent on has all these permissions. It is indeed more the additional permissions the account needed. What I expected is during an “Access Denied” it would be easily to monitor this on which folder/files/registry etc… it should have access to. Yet I was not able to find this with process monitor.
That’s why I switched the service now to run under the system account.
If you maybe have any clue where it should have access to, please let me know. Else I’ve now the a reason to let it run under system.