Re: Proposed user handling in AWS

To: debian-cloud@lists.debian.org
Subject: Re: Proposed user handling in AWS
From: Ross Vandegrift <rvandegrift@debian.org>
Date: Tue, 9 Apr 2019 10:28:11 -0700
Message-id: <[🔎] 20190409172811.fps3jbh37j2xtthj@vanvanmojo.kallisti.us>
In-reply-to: <[🔎] 20190404222124.eprowqexukjrtb65@shell.thinkmo.de>
References: <[🔎] 20190404222124.eprowqexukjrtb65@shell.thinkmo.de>

On Fri, Apr 05, 2019 at 12:21:25AM +0200, Bastian Blank wrote:
> We never filled the details for a possible user handling in AWS.  I
> therefor like to propose the following:
> 
> - All user management/sync will be bundled into one AWS account.
> - All user access to the publishing and engineering accounts will be via
>   assumed roles (we might switch to SAML if it makes sense).
> - All "users" in the publishing and engineering acounts are automatic
>   processes, like our upload stuff.

Technically, I think this sounds nice.

The automated "users" could also live in the management account and
assume role.  This complicates automation, but ensures that the target
accounts are only access via ephemeral keys.  Not sure if the extra step
is worth it.

Ross

Reply to:

References:
- Proposed user handling in AWS
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: RE: Proposing to proceed with creating AWS and Azure accounts for Debian
Next by Date: Re: Proposed user handling in AWS
Previous by thread: Re: Proposed user handling in AWS
Next by thread: Security updates
Index(es):
- Date
- Thread