HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

AWS Temporary Permission Granting Tool for Account/Service "Firefights"

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
temporarypermissiongrantingaccountfirefightsserviceforawstool

Problem

I'm looking for a service or third party solution that allows for granting temporary access to an IAM user (or group) to one or more services in an AWS account.

The example I have is there is an outage in a production account, and I would like to grant temporary access to developers/sys admins to resolve the issue. Under normal circumstances, they would not have access to this particular service/account.

Ideally, I would like this to me a managed off the shelf solution vs something like STS, which would require quite a bit of configuration. Example, a system outage occurs for unknown reasons in a production account that the on call SRE does not normally have access to. A manager or lead should quickly be able to temporarily escalate privileges for the user until the "firefight" is resolved.

Solution


  • Create an IAM role in prod with all the permissions you'd like the devs to have.



  • When you want devs to have prod access, add the sts:AssumeRole permission to their IAM group.



  • When it's time to revoke access, remove the sts:AssumeRole permission.



More details in my blog article here.

Context

StackExchange DevOps Q#11893, answer score: 1

Revisions (0)

No revisions yet.