1.3.3 Managing Teams

fly set-team

Once you've logged in as the main team with fly, you can run fly set-team to create or update other teams. Users with a owner role can also update their own configuration with the same command.

For example, to create a new team that authorizes the local foo user, you would run:

fly -t example set-team --team-name my-team \
  --local-user foo

Note that each time set-team is run, the team's authorization config is set as a whole - it is not a stateful operation.

There are many different ways to configure team auth; see Configuring Auth for more information.

Once the team has been created, you can use fly login to log in:

$ fly -t example login -n my-team

Any newly configured pipelines (via fly set-pipeline) and one-off builds (via fly execute) will be owned by the authorized team. Commands that list content will be scoped to the current team by default, such as fly pipelines and fly builds. The web UI will reflect the same state.

Newly configured pipelines are hidden by default, meaning other teams and unauthorized visitors cannot view them. To make them publicly viewable, see Pipeline & Build Visibility.

Setting User Roles

By default, authorization config passed to set-team configures the owner role.

More advanced roles configuration can be specified through the --config or -c flag.

The -c flag expects a .yml file with a single field, roles:, pointing to a list of role authorization configs.

All of the attributes in each config will vary by provider. Consult the appropriate section for your provider under Configuring Auth for specifics.

For example, the following config sets three roles with different auth config for each role's provider:

- name: owner
    users: ["admin"]
- name: member
    teams: ["org:team"]
- name: viewer
    orgs: ["org"]
    users: ["visitor"]

fly active-users

To list all users that have logged into your instance in the last two months, run:

$ fly -t example active-users

The output will include the username, connector (which method they used to authenticate) and the date of their last login.

You can list users whose last login was within a different range by using:

$ fly -t example active-users --since yyyy-MM-dd

This can be helpful to get a sense of how active your cluster is.

fly teams

To list all the teams, run:

$ fly -t example teams

This can be useful if you've forgotten your team name.

fly teams -d: With Details

To list all the teams with authentication details and members, run:

$ fly -t example teams -d

This can be helpful when debugging OAuth, OIDC groups or listing all individual members.

fly get-team

To show a team's configuration, run:

$ fly -t example get-team -n some-team

fly rename-team

To rename a team, run:

$ fly -t example rename-team --old-name my-team --new-name cool-team

This can only be run by the main team.

fly destroy-team

To remove a team, including all of its pipelines and one-off builds, first log in as the main team, and then run:

$ fly -t example destroy-team --team-name my-team

Currently, if there were any workers assigned specifically to this team, they'll be orphaned, without having their containers or volumes cleaned up.