patternMinor
AWS Temporary Permission Granting Tool for Account/Service "Firefights"
Viewed 0 times
temporarypermissiongrantingaccountfirefightsserviceforawstool
Problem
I'm looking for a service or third party solution that allows for granting temporary access to an IAM user (or group) to one or more services in an AWS account.
The example I have is there is an outage in a production account, and I would like to grant temporary access to developers/sys admins to resolve the issue. Under normal circumstances, they would not have access to this particular service/account.
Ideally, I would like this to me a managed off the shelf solution vs something like STS, which would require quite a bit of configuration. Example, a system outage occurs for unknown reasons in a production account that the on call SRE does not normally have access to. A manager or lead should quickly be able to temporarily escalate privileges for the user until the "firefight" is resolved.
The example I have is there is an outage in a production account, and I would like to grant temporary access to developers/sys admins to resolve the issue. Under normal circumstances, they would not have access to this particular service/account.
Ideally, I would like this to me a managed off the shelf solution vs something like STS, which would require quite a bit of configuration. Example, a system outage occurs for unknown reasons in a production account that the on call SRE does not normally have access to. A manager or lead should quickly be able to temporarily escalate privileges for the user until the "firefight" is resolved.
Solution
- Create an IAM role in prod with all the permissions you'd like the devs to have.
- When you want devs to have prod access, add the
sts:AssumeRolepermission to their IAM group.
- When it's time to revoke access, remove the
sts:AssumeRolepermission.
More details in my blog article here.
Context
StackExchange DevOps Q#11893, answer score: 1
Revisions (0)
No revisions yet.