This message was deleted.
# general
s
This message was deleted.
t
My current workplace is a wip, but at the last place I worked we used a tool called db labs to provide access to clones. https://postgres.ai
That way devs did not need to access the live prod database for things. We typically required whatever fix to be written as a migration, except for some specific circumstances where it didnt make sense to do that
h
Thanks for your input @Taylor! I did not look into data fuzzing tools. I will do more digging. Any other alternatives?
a
Tools like Dbeaver, TablePlus, etc… DBs are backed by VPN and AAD access control (with AD groups) and we are looking into using Azure PIM for privilege elevation.
I also used Self Service Group ID before - replacement for Azure PIM
c
@Heiki Riesenkampf we support companies with database simulation testing /debugging… is a Production environment a hard requirement to debug?
t
@Craig Alfieri what do you use for database simulation?
d
At a previous company we had a self-service tool that would allow engineers to get dump of a database, with all the sensitive and personal data redacted. Developers would send a request, it would get reviewed and approved, then a mysqldump was executed and the developer was able to download it from S3
c
@Taras Mankovski company just came out of beta, name is Antithesis ; former team from FoundationDB started it. I’ll DM you some GitHub details
o
@Heiki Riesenkampf - we at groundcover support your use case of identifying the exact object causing problems (regardless to DB or any other object) thanks to our eBPF based solution (monitors everything on kernel mode, no integration is needed). Feel free to check our free tier license or alternatively check our blogs where we share use cases. Regarding your question of “static” keys to prod - as a former cyber security consultant I can suggest looking at PAM solutions, providing on demand access, recorded, password change, approval processes etc…
d
Hi @Heiki Riesenkampf we have implemented Boundary + Vault with fine grained access control to allow connecting prod db. Lets say someone needs to debug into prod, db they can be allowed access temporarily by attaching specific role to their user, which would authorize them again corresponding boundry and vault acl, and let them generate temporary credentials and tcp connection to db