We request for the option/ability to execute a particular chained pipeline where the executor does not need to have the usual explicit permissions to execute it. This use case is primarily relevant for triggering a provisioning pipeline across projects, so the executor would need temporary access to connectors, secrets, etc, that they normally would not have in order to self service provision entities and resources.

Scenario:

As a platform team, I would like to allow app teams to provision resources, TF workspaces etc via harness pipelines. The app teams have their own harness projects - because the pipelines require elevated access, I cannot explicitly grant app teams permissions to use the secrets and connectors required (even via specific resource group scoping), as this can lead to mis-use of these secrets and connectors, and these provisioning pipelines will live in a locked project (e.g. provisioning) that the app teams will not have access to. I also cannot simply use a trigger as the app team would like provision + then use some outputs from the provisioning pipeline in a following stage, leading to pipeline chaining.

Currently, the only way to achieve this is via a IDP workflow + a service account that can access both projects (provisioning + app team) - where 1. the IDP workflow triggers a pipeline in the app team project (not provisioning)

This is a fairly complex setup that also means the pipeline has to be configured with selective stage executions to allow for re-runs - otherwise the pipeline can only really be fired by IDP, or an admin. The feature request would loosen this such that a pipeline chain stage can allow executors to provide just

and not have to worry about RBAC and allow re-use of the pipeline logic from the platform team.