ArgoCD project permission denied errors occur when users or service accounts lack RBAC permissions to create or manage applications. This is typically resolved by configuring project roles, policies, and token-based access for CI/CD pipelines.
When creating an ArgoCD application within a project, the request fails with a permission denied error. This indicates that the authenticated user or service account does not have the necessary RBAC (Role-Based Access Control) permissions to create applications in that specific project. ArgoCD enforces fine-grained RBAC at the project level, requiring explicit policy configuration for each user, group, or service account.
Check which user/service account is authenticated and what project roles exist:
argocd account get-info
argocd proj list
argocd proj role list <project-name>The simplest solution is to use the "default" project which has proper RBAC configured during ArgoCD installation. Update your application to use the default project:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
project: defaultIf you need a custom project, create it with cluster and source permissions:
argocd proj create my-project \
-d https://kubernetes.default.svc,default \
--src "*"Define a project role that can perform create, sync, update, and delete:
argocd proj role create my-project deploy-roleAdd policy permissions for each required action:
argocd proj role add-policy my-project deploy-role \
--action "create,sync,update,delete" \
--permission "allow" \
--object "*/*"Generate a token that can be used in CI/CD pipelines:
argocd proj role create-token my-project deploy-roleStore this token securely and use it to authenticate in your CI/CD system.
For group-based access, edit the argocd-rbac-cm ConfigMap:
kubectl edit configmap argocd-rbac-cm -n argocdAdd policies like:
ui_policy.default: g, my-group, role:adminTest if a specific user/role has permission to perform an action:
argocd admin settings rbac can create applications my-projectFor production, use group-based RBAC mapped through your SSO provider (OIDC, SAML) rather than individual tokens. Project tokens are ideal for CI/CD pipelines but rotate them regularly. The wildcard pattern "*/*" applies to all namespaces and application names - restrict this further in security-sensitive environments. Always use the principle of least privilege when assigning roles.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes