Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Improve Identity Documentation #665

Merged
merged 6 commits into from
Aug 22, 2024
Merged

feat: Improve Identity Documentation #665

merged 6 commits into from
Aug 22, 2024

Conversation

milldr
Copy link
Member

@milldr milldr commented Aug 21, 2024

what

  • Updated identity documentation
  • Added mermaid diagrams

why

  • Identity is a common point of confusing. We'd like to improve documentation
  • Lucid is no longer supported internally. Instead we use mermaid

references

  • customer

@milldr milldr marked this pull request as ready for review August 21, 2024 19:55
aknysh
aknysh reviewed Aug 21, 2024
View reviewed changes
Copy link
Member

@aknysh aknysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, a few typos/nitpicks

@milldr milldr merged commit 276ecaa into master Aug 22, 2024
3 checks passed
@milldr milldr deleted the feat/improve-identity-docs branch August 22, 2024 13:31
osterman
osterman reviewed Aug 22, 2024
View reviewed changes
docs/layers/identity/centralized-terraform-access.mdx
Comment on lines +128 to +135
user1_copy["User 1 Copy"]
user2_copy["User 2 Copy"]
user3_copy["User 3 Copy"]
group1_copy["Group 1 Copy"]
permissions["Permission Sets"]
user1_copy -.-> group1_copy
user2_copy -.-> group1_copy
user3_copy -.-> group1_copy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are copies? Is this a term used by Identity Center?

osterman
osterman reviewed Aug 22, 2024
View reviewed changes
docs/layers/identity/centralized-terraform-access.mdx

:::tip AWS IAM Identity Center or AWS SAML? Which do I choose?

The vast majority of our customers prefer AWS IAM Identity Center (SSO). The convenience of a web console login is hard to beat. However, some customers prefer SAML for its simplicity and compatibility with existing systems. We support both methods, and you can choose the one that best fits your needs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the part we gloss over is that you always deploy aws-saml because it's how the identity architecture is implemented for automation. The option is whehter or not they also deploy AWS SSO.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we dont need aws-saml for automation. GH uses OIDC to assume the team directly - saml isnt involved

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GH OIDC as a whole isnt explained in this layer. We should document somewhere specifically how it works - assuming a team from github, using a mixin, github-oidc-role, or something else, etc

We have this, but it's about OIDC as a process not for our architecture
https://docs.cloudposse.com/layers/github-actions/github-oidc-with-aws/

osterman
osterman reviewed Aug 22, 2024
View reviewed changes
docs/layers/identity/centralized-terraform-access.mdx
@@ -60,8 +218,55 @@ Follow the Identity Providers documentation for adding a SAML login.

With AWS SAML, we create a federated SAML login that connects to the "team" in the identity account, and then users can assume other roles from there. We use the [AWS Extend Switch Roles plugin](https://github.com/tilfinltd/aws-extend-switch-roles) that makes this much easier, but it's not as intuitive as Identity Center.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should explain somewhere what we mean by federated

Federated login means that instead of managing separate credentials for each AWS account, users authenticate through a centralized identity provider (IdP). This allows them to access multiple AWS accounts or services using a single set of credentials, based on trust relationships established between the IdP and AWS.

@milldr milldr mentioned this pull request Aug 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osterman osterman osterman left review comments

@aknysh aknysh aknysh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@milldr @osterman @aknysh