le-ref-architecture-doc icon indicating copy to clipboard operation
le-ref-architecture-doc copied to clipboard

Published 20 hours ago verified publisher icon binbashar

Enhancement | Reorganize credential sections

Open angelofenoglio opened this issue 2 years ago • 1 comments

Describe the Feature

IAM Credentials and SSO Credentials workflows should be under https://leverage.binbash.com.ar/user-guide/ref-architecture-aws/credentials/

angelofenoglio avatar Jun 08 '22 15:06 angelofenoglio

The general idea is to consolidate the sections about SSO, IAM/MFA and all of those related to identities under a single index page section in order to improve the ordering of that information. Note: we do not necessarily want a single page with all the info but a proper entrypoint to all the related topics (SSO, MFA, etc) which then can link to the existing pages about each specific topic.

diego-ojeda-binbash avatar Sep 05 '22 18:09 diego-ojeda-binbash

Let's please consider adding this => https://binbashar.slack.com/archives/GG0PJ78J3/p1672845845930149

exequielrafaela avatar Jan 27 '23 14:01 exequielrafaela

@angelofenoglio let's consider adding this info in the doc or closer to the code if needed to keep this into consideration:

The reason for the SRC_* AWS files. Yes, it's legacy, but we still need it - it's the reason why Terraform works in the container.

When you start the container, the config file on your host contains the profiles from which we obtain the information that allows us to assume the IAM role, while the credentials contain the credentials to assume that IAM role. These two files are mounted at /root/tmp/<project> to make them available and obtain that information.

Once the roles are assumed, those credentials are written to /root/.aws/<project>/credentials (inside the container) under the name of the profile from which the information was obtained to assume the role ([profile <project>-security-devops], for example) so that they are available for Terraform. If we were to write those credentials instead to /root/tmp/<project>/credentials and point AWS_SHARED_CREDENTIALS_FILE there, they would be overshadowed by the profiles defined in /root/tmp/<project>/config, and Terraform would not be able to see them, as well as pollute the credentials of the host.

CC: @Franr @diego-ojeda-binbash @juanmatias

exequielrafaela avatar Apr 03 '23 10:04 exequielrafaela

Given that so much has changed since we last worked on this issue, here's what I think it's still missing and thus I think what this issue should be about:

  • We still need some sort of entry page in the documentation that briefly explains how Leverage handles credentials and then links to specific sections for further details.
  • E.g. what's the preferred way (SSO)? Links to how that's set up in AWS, links to how the CLI integrates with it. What do we use base-identities for? And examples of that. How can I troubleshoot credentials issues?

Therefore, this issue still applies.

Note on this thread https://binbashar.slack.com/archives/GG0PJ78J3/p1672845845930149 => The definitions are here https://binbashar.slack.com/archives/GG0PJ78J3/p1672847354433219?thread_ts=1672845845.930149&cid=GG0PJ78J3 -- you can safely skip the rest as those questions and discussions add some noise and are actually not related to this issue which is only about the documentation. Any changes to the Ref Arch's baseline, even if it's about credentials, should be part of a different issue.

diego-ojeda-binbash avatar Jan 26 '24 14:01 diego-ojeda-binbash

Changes can be seen in this PR: https://github.com/binbashar/le-ref-architecture-doc/pull/207

diego-ojeda-binbash avatar Jan 31 '24 20:01 diego-ojeda-binbash