https://platformengineering.org logo
#general
Title
# general
a

Artem

09/30/2022, 9:40 AM
Hi all. In my department I manage IAM AWS permissions manually, I wrote a few scripts that developers use to generate their own temporary keys, cloud formation templates to help automate IAM resource creation, and so on. I am wondering if this falls into platform engineering space. And if there are existing tools with nice UIs that I can just use to handle permissions and integration with our own identity management like Okta.
m

Maciej Raszplewicz

09/30/2022, 9:47 AM
About temporary keys (and maybe some other problems): have you tried AWS SSO? You can copy temporary keys from its WEB UI after logging in.
a

Artem

09/30/2022, 9:48 AM
Yep we use that also.
My question is if this falls into platform engineering where a user can access/request permissions via a pretty UI, and these permissions are granted by an admin.
m

Maciej Raszplewicz

09/30/2022, 9:55 AM
I am sure it is but our solution (DevOpsBox) doesn't currently support it, instead, it relies on AWS IAM/AWS SSO which is far from being perfect... We had a permission generator in the past but we have abandoned it - it was too complicated. The idea was: you could grant somebody permissions for application+environment and their IAM or Kubernetes RBAC were generated automatically.
a

Artem

09/30/2022, 12:52 PM
I have never heard of devopsbox, we use argo cd in my org to handle deployments, users just add a manifest into their repos, and the system knows what to do. I think proper permission management tied to identity is a huge endeavor on its own. And I feel like to get it right you would need to focus only on this, and not the services deployment part.
m

Maciej Raszplewicz

09/30/2022, 12:58 PM
(short disclaimer: I am a co-founder of DevOpsBox)
a

Artem

09/30/2022, 1:05 PM
My flow basically looks like this Okta/SSO (existing) => permission manager (integrated with Okta/SSO request/approve) => temp dev keys generated I am looking for the middle part. Perhaps there is an OSS solution to this.
a

Andrea Cavagna

10/01/2022, 7:21 AM
That's exactly the idea behind my oss project and his collaboration part https://github.com/Noovolari/leapp Have you ever tried Leapp?
a

Artem

10/01/2022, 7:25 AM
Cool! I'll take a look. I also found this https://github.com/Netflix/consoleme . To me integrations with existing internal SSO systems is important.
a

Andrea Cavagna

10/01/2022, 7:28 AM
Absolutely! I know the creator of ConsoleMe personally and it is a great but not so flexible solution. I would love to know how to integrate with your existing SSO system if possible
a

Artem

10/01/2022, 7:28 AM
Does leapp handle integrations?
a

Andrea Cavagna

10/01/2022, 7:29 AM
Yes, but what you mean with integrations?
a

Artem

10/01/2022, 7:31 AM
So let's say I am using Okta/AAD/AWS AIM for SSO.
Do I have to sync all the users into leapp in order to use it?
a

Andrea Cavagna

10/01/2022, 7:34 AM
https://docs.leapp.cloud/0.14.3/configuring-integration/configure-aws-single-sign-on-integration/ Absolutely not. You will have your IDP users and they will automatically see their account and roles in their local Desktop app and Cli
Sorry bug I really need to go now, but I would love to continue this discussion!
23 Views