Hi all. In my department I manage IAM AWS permissions manually, I wrote a few scripts that developers use to generate their own temporary keys, cloud formation templates to help automate IAM resource creation, and so on. I am wondering if this falls into platform engineering space. And if there are existing tools with nice UIs that I can just use to handle permissions and integration with our own identity management like Okta.

About temporary keys (and maybe some other problems): have you tried AWS SSO? You can copy temporary keys from its WEB UI after logging in.

Yep we use that also.

I am sure it is but our solution (DevOpsBox) doesn't currently support it, instead, it relies on AWS IAM/AWS SSO which is far from being perfect... We had a permission generator in the past but we have abandoned it - it was too complicated. The idea was: you could grant somebody permissions for application+environment and their IAM or Kubernetes RBAC were generated automatically.

I have never heard of devopsbox, we use argo cd in my org to handle deployments, users just add a manifest into their repos, and the system knows what to do. I think proper permission management tied to identity is a huge endeavor on its own. And I feel like to get it right you would need to focus only on this, and not the services deployment part.

(short disclaimer: I am a co-founder of DevOpsBox)

My flow basically looks like this Okta/SSO (existing) => permission manager (integrated with Okta/SSO request/approve) => temp dev keys generated I am looking for the middle part. Perhaps there is an OSS solution to this.

That's exactly the idea behind my oss project and his collaboration part https://github.com/Noovolari/leapp Have you ever tried Leapp?

Cool! I'll take a look. I also found this https://github.com/Netflix/consoleme . To me integrations with existing internal SSO systems is important.

Absolutely! I know the creator of ConsoleMe personally and it is a great but not so flexible solution. I would love to know how to integrate with your existing SSO system if possible

Does leapp handle integrations?

Yes, but what you mean with integrations?

So let's say I am using Okta/AAD/AWS AIM for SSO.

https://docs.leapp.cloud/0.14.3/configuring-integration/configure-aws-single-sign-on-integration/ Absolutely not. You will have your IDP users and they will automatically see their account and roles in their local Desktop app and Cli