gandi.cli
gandi.cli copied to clipboard
Gandi
Getting more then one API key and having multi users
Hi,
I ask about this, because let say you have dev infra, pre-prod and production. For good security practice you will never use same API key.
Will this be possible with API v5?
We have API like AWS, where you can create group of user with special permissions, like, just get info about some resources, but user can't delete something from production, or change any values.
Thanks
This is not possible at the moment. The scoping of methods with API key should be in the feature list down the line.
Ok, thanks for info and I hope to see this soon, because it's important in many levels of any cloud and app infrastructure.
@nmarjanovic but you can create teams in your organization in our v5 website for each of your platform and assign user to each group (a user could be in only one teams per organization).
For now the only API v5 available is for our LiveDNS product. Other product will be supported later.
Thanks @aegiap, I will check team settings and see what type of permissions we can set on that level, but guess it's basic, but good for start.
@nmarjanovic : We welcome suggestions of more specific permission scopes that you would find useful. :)
Where to start:) In any case, if organization have one or 100 domain names, in some point you will need more then one users and you will need few levels of permissions for different company services and solutions.
Ex. 1 (Gandi)
Speaking first about how modern IT teams are build /dev/qa/ops/infra. Do we want this teams to have same levels of permissions? I don't think so. If we look on Gandi side, I see we can add teams, and that is cool, we can restrict few things, but already in this level, you don't have domain/zones separation. If you want to create dev team, and give them permission to use only one zone, Gandi don't provide this type of isolation right now.
Ex. 2 (API)
Case, when you need even more strict API ...OPS team will integrate some type of statistics monitoring, to calculate how many new clients they got last month, and share that board with other company team. This is done in case when every new client on your application use integrated Gandi API to create sub-domain. To see output in monitoring application, you need read only API permission, to get information about number of CNAME, A etc . entries. API can be managed by groups and users .., like Linux permissions system, all big companies use that logic.
Today in many cases, people moving infrastructure to cloud, domain providers need to adjust. Of course that is my opinion. AWS did great job on this level, GCloud and even Azure is working a lot to provide good API.
AWS API user don't even need to have account, and admin can create API key for groups and users, ex., QA team authorization with their own API key, just to start i stop instance in allowed regions. But sure, this system is very big and small companies need more time to have full integration of something like this.
Can this year get any worse? First Coronavirus, and now Gandi don't implement API scoping. 😭
We want to implement LetsEncrypt DNS API but we want the API key to only be able to make changes to a single DNS record.
ping - looking into implementing https://github.com/joohoi/acme-dns/ as a workaround.
