Operating within users’ accounts is a serious matter. We want to make sure that we get all the credentials we need to deliver great user experience, but limit our access only to what the user feels comfortable with, and make sure there’s nothing we can do that we do not plan on doing. All this should happen automatically and seamlessly for the user. How do we get that done?
To be able to do that we need to answer 2 questions:
- How do we get the relevant credentials and keys to our user’s account?
- How do we operate within our user’s account once we have the above credentials?
Getting relevant access to our user’s account (Technical Background)
The most basic way is to just ask your users to:
- Create a role for you with the required credentials
- Create a user in their system for you with the above roles, and limit the user to the above role
- Generate an access key for that user
- Manually send you the access credentials for the user they’ve created for you
This is, of course, error-prone in so many ways that it’s basically useless.
What we want is an automated process that will create an appropriate role in our user’s account, allow the user to review them, and limit the access only to us. That can be achieved using a cross-account IAM role.
To do that, you have to:
- Send your account number and a unique customer external ID to the customer so they’ll be able to configure your access rights
- Ask your customer to create a role with your required permission and attach the necessary policies to that role
- Have your customer send you back the ARN for the role they created for you
This is much better than the previous solution, but it’s still very error-prone and manual. So what we need is a way to automate that process.
So now we get to the gist of our solution: How to automate the process of creating a dedicated role for our service at the user’s account and get the credentials, with as little human intervention as possible.
#serverless #cross-account-access #cloudformation #aws
