Re: Proposed user handling in AWS

To: debian-cloud@lists.debian.org
Subject: Re: Proposed user handling in AWS
From: Jimmy Kaplowitz <president@spi-inc.org>
Date: Sun, 7 Apr 2019 13:24:05 -0400
Message-id: <[🔎] 20190407172405.6ap5jtdho2x536i6@kaplowitz.org>
In-reply-to: <[🔎] 20190404222124.eprowqexukjrtb65@shell.thinkmo.de>
References: <[🔎] 20190404222124.eprowqexukjrtb65@shell.thinkmo.de>

Hi,

On Fri, Apr 05, 2019 at 12:21:25AM +0200, Bastian Blank wrote:
> Hi folks
> 
> We never filled the details for a possible user handling in AWS.  I
> therefor like to propose the following:
> 
> - All user management/sync will be bundled into one AWS account.
> - All user access to the publishing and engineering accounts will be via
>   assumed roles (we might switch to SAML if it makes sense).
> - All "users" in the publishing and engineering acounts are automatic
>   processes, like our upload stuff.
> 
> This means:
> 
> In addition to the AWS billed publishing and engeneering account, we
> will need a SPI owned account for the user handling.  We will make sure
> with appropriate settings that users can't produce charges in this
> account.

Due to my life being otherwise busy I won't dive deeply into the ideal
user management policy questions in this email, but I will comment
solely on the bits relevant to the SPI President role and to the
preferences of our partners at Amazon.

Amazon requested that we use two accounts for the part they're paying
for and putting under their organization: one account to publish the
images, and a separate account for engineering work like running Debian
archive mirrors. Both of these would still have SPI as legal owner, and
any expenses which somehow get billed to SPI rather than Amazon would be
accounted by SPI as Debian expenses.

My understanding is that Amazon is okay for us to use the engineering
account for any reasonable work targeted at building, testing, and
supporting Debian AMIs in Amazon. This might make it okay for the user
management work to live in that account, but I don't feel strongly about
that.

If Debian is planning to have an AWS account which would billed to SPI
rather than Amazon for user management purposes, that's not inherently a
problem; the usual requirement for DPL approval would exist so that any
charges which flow through to the SPI debit card could be accounted as
Debian expenses. And of course, someone involved with the Debian AWS
administration would need to be paying attention to ensure the charges
don't get exorbitant.

- Jimmy Kaplowitz
president@spi-inc.org

Reply to:

Follow-Ups:
- Re: Proposed user handling in AWS
  - From: Bastian Blank <waldi@debian.org>

References:
- Proposed user handling in AWS
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: Security updates
Next by Date: Re: Status of Debian accounts and legal agreements with cloud providers
Previous by thread: Proposed user handling in AWS
Next by thread: Re: Proposed user handling in AWS
Index(es):
- Date
- Thread