Operating within users’ accounts is a serious matter. We want to make sure that we get all the credentials we need to deliver great user experience, but limit our access only to what the user feels comfortable with, and make sure there’s nothing we can do that we do not plan on doing. All this should happen automatically and seamlessly for the user. How do we get that done?
To be able to do that we need to answer 2 questions:
The most basic way is to just ask your users to:
This is, of course, error-prone in so many ways that it’s basically useless.
What we want is an automated process that will create an appropriate role in our user’s account, allow the user to review them, and limit the access only to us. That can be achieved using a cross-account IAM role.
To do that, you have to:
This is much better than the previous solution, but it’s still very error-prone and manual. So what we need is a way to automate that process.
So now we get to the gist of our solution: How to automate the process of creating a dedicated role for our service at the user’s account and get the credentials, with as little human intervention as possible.
#serverless #cross-account-access #cloudformation #aws