Proposed user handling in AWS

To: debian-cloud@lists.debian.org
Cc: president@spi-inc.org
Subject: Proposed user handling in AWS
From: Bastian Blank <waldi@debian.org>
Date: Fri, 5 Apr 2019 00:21:25 +0200
Message-id: <[🔎] 20190404222124.eprowqexukjrtb65@shell.thinkmo.de>
Mail-followup-to: debian-cloud@lists.debian.org, president@spi-inc.org

Hi folks

We never filled the details for a possible user handling in AWS.  I
therefor like to propose the following:

- All user management/sync will be bundled into one AWS account.
- All user access to the publishing and engineering accounts will be via
  assumed roles (we might switch to SAML if it makes sense).
- All "users" in the publishing and engineering acounts are automatic
  processes, like our upload stuff.

This means:

In addition to the AWS billed publishing and engeneering account, we
will need a SPI owned account for the user handling.  We will make sure
with appropriate settings that users can't produce charges in this
account.

We only need to handle users in one place, except for access to the
us-gov stuff.  A tool to sync users should be simple.

I built a test setup for this, so I can provide a clean set of roles and
policies.

Regards,
Bastian

-- 
You're dead, Jim.
		-- McCoy, "The Tholian Web", stardate unknown

Reply to:

Follow-Ups:
- Re: Proposed user handling in AWS
  - From: Jimmy Kaplowitz <president@spi-inc.org>
- Re: Proposed user handling in AWS
  - From: Ross Vandegrift <rvandegrift@debian.org>

Prev by Date: Re: Status of Debian accounts and legal agreements with cloud providers
Next by Date: Security updates
Previous by thread: Bug#926424: cloud-init: No log rotation
Next by thread: Re: Proposed user handling in AWS
Index(es):
- Date
- Thread