feat: Improve Identity Documentation #665

milldr · 2024-08-21T19:35:19Z

what

Updated identity documentation
Added mermaid diagrams

why

Identity is a common point of confusing. We'd like to improve documentation
Lucid is no longer supported internally. Instead we use mermaid

references

customer

docs/layers/identity/identity.mdx

docs/layers/identity/centralized-terraform-access.mdx

docs/layers/identity/identity.mdx

aknysh

looks good, a few typos/nitpicks

Co-authored-by: Andriy Knysh <[email protected]>

osterman · 2024-08-22T13:40:41Z

docs/layers/identity/centralized-terraform-access.mdx

+        user1_copy["User 1 Copy"]
+        user2_copy["User 2 Copy"]
+        user3_copy["User 3 Copy"]
+        group1_copy["Group 1 Copy"]
+        permissions["Permission Sets"]
+        user1_copy -.-> group1_copy
+        user2_copy -.-> group1_copy
+        user3_copy -.-> group1_copy


What are copies? Is this a term used by Identity Center?

docs/layers/identity/centralized-terraform-access.mdx

docs/layers/identity/identity.mdx

docs/layers/identity/centralized-terraform-access.mdx

osterman · 2024-08-22T13:55:27Z

docs/layers/identity/centralized-terraform-access.mdx

+
+:::tip AWS IAM Identity Center or AWS SAML? Which do I choose?
+
+The vast majority of our customers prefer AWS IAM Identity Center (SSO). The convenience of a web console login is hard to beat. However, some customers prefer SAML for its simplicity and compatibility with existing systems. We support both methods, and you can choose the one that best fits your needs.


I think the part we gloss over is that you always deploy aws-saml because it's how the identity architecture is implemented for automation. The option is whehter or not they also deploy AWS SSO.

we dont need aws-saml for automation. GH uses OIDC to assume the team directly - saml isnt involved

GH OIDC as a whole isnt explained in this layer. We should document somewhere specifically how it works - assuming a team from github, using a mixin, github-oidc-role, or something else, etc

We have this, but it's about OIDC as a process not for our architecture
https://docs.cloudposse.com/layers/github-actions/github-oidc-with-aws/

osterman · 2024-08-22T13:56:47Z

docs/layers/identity/centralized-terraform-access.mdx

@@ -60,8 +218,55 @@ Follow the Identity Providers documentation for adding a SAML login.

 With AWS SAML, we create a federated SAML login that connects to the "team" in the identity account, and then users can assume other roles from there. We use the [AWS Extend Switch Roles plugin](https://github.com/tilfinltd/aws-extend-switch-roles) that makes this much easier, but it's not as intuitive as Identity Center.


We should explain somewhere what we mean by federated

Federated login means that instead of managing separate credentials for each AWS account, users authenticate through a centralized identity provider (IdP). This allows them to access multiple AWS accounts or services using a single set of credentials, based on trust relationships established between the IdP and AWS.

updated identity documentation, added mermaid diagrams

509ca10

milldr marked this pull request as ready for review August 21, 2024 19:55

updated identity documentation, added mermaid diagrams

76cc068

milldr temporarily deployed to preview August 21, 2024 21:07 — with GitHub Actions Inactive

updated identity documentation, added mermaid diagrams

2ea1a6a

milldr had a problem deploying to preview August 21, 2024 21:30 — with GitHub Actions Failure

Update example for centralized Terraform access configuration

54e104c

milldr temporarily deployed to preview August 21, 2024 21:33 — with GitHub Actions Inactive