Can a project role run an "argocd app sync --local" without a global RBAC role

[dlitster]

Argo newbie here. I'm trying to create a least privilege project role+token that can run a "argocd app sync --local " command.

edit: version
argocd: v2.11.4+e1284e1
BuildDate: 2024-07-03T00:41:55Z
GitCommit: e1284e1
GitTreeState: clean
GoVersion: go1.22.4
Compiler: gc
Platform: darwin/amd64
argocd-server: v2.11.4+e1284e1

My project role can run the "argocd app sync " fine, but gives me a blank error when I add --local. I was able to run this command as an admin.
FATA[0002] rpc error: code = PermissionDenied desc = permission denied

That error is quite different from normal errors:
FATA[0001] rpc error: code = PermissionDenied desc = permission denied: projects, create, *, sub: <svcacct_user>, iat: 2024-07-31T16:24:18Z

project role

argocd proj role get myproject myprojectrole
Role Name:     myprojectrole
Description:
Policies:
p, proj:myproject:myprojectrole, projects, get, myproject, allow
p, proj:myproject:myprojectrole, applications, *, myproject/*, allow
g, argocd-dev-myproject, proj:myproject:myprojectrole

Once I moved the role and permissions into argco-cm as a local user, I still wasn't able to run the local sync, but the logs showed me these calls were being made before the failures:
msg="received unary call /cluster.ClusterService/Get and msg="received unary call /project.ProjectService/GetDetailedProject
so I added these permissions to the global role in argco-cm:

p, role:mypipelinerole, applications, *, */*, allow
p, role:mypipelinerole, clusters, get, *, allow
p, role:mypipelinerole, projects, get, *, allow
g, mypipeline, role:mypipelinerole 

and the local sync worked.

I wasn't able to add similar permissions to the project using the cli; I see projects/get is a builtin permission but the cli won't let me add a clusters/get permission, the cli targets the applications resource only:
argocd proj role add-policy myproject myprojectrole -a override -p allow -o '*'
I was able to add a "clusters" project policy via terraform ("oboukili/argocd"), but still got the same "blank" error:
p, proj:myproject:myprojectrole, clusters, get, myproject/*, allow

Is there a bug in the sync command that doesn't allow it to be run using a project role? The closest page I found discussing this was: GHSA-g623-jcgg-mhmm

[juwon8891]

Did you use argocd appsync --local correctly? If possible, try adding the --core option

[dlitster]

@juwon8891 using --core effectively bypasses argo RBAC entirely, according to #8280 and https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_login/. That means won't use the token I've issued from my project role, and since this is intended to be run from a pipeline, I'd have to tighten k8s permissions instead of argo permissions.
Am I understanding correctly?

sync --local is working fine when I use the argo admin permissions or when I set a global role in argco-cm (csv) (in my case, deploys the pod with an updated docker image)

From my testing with the global role, I think the issue is that the project role doesn't have this permission:
p, role:mypipelinerole, clusters, get, *, allow

But I'm not sure how to grant that permission at a project level...Is what I'm trying to do possible or is this a bug?