Open LesnyRumcajs opened 6 months ago
@LesnyRumcajs, unfortunately from my understanding DigitalOcean lacks the direct feature to create service accounts distinct from human user accounts for the purpose of automation or infrastructure management. To implement a system where each service (like forest-iac, forest-automation) operates under a separate 'user', you would need to set up individual user accounts for each service. This approach not only increases management overhead but also complicates access control. User management is a big flaw in the digitalOcean.
I am aware that DO lacks service accounts. This issue is about a separate automation account, one for all services managed via this repository.
I am aware that DO lacks service accounts. This issue is about a separate automation account, one for all services managed via this repository.
@LesnyRumcajs, Got it, just to make sure I’m understanding correctly: to set up a dedicated account for automation, we'd need to create a dedicated account for automation. we would have to create a new fresh DO account unless what you're suggesting is more along the lines of creating a dedicated user within an existing account or utilizing the My Teams
feature.
Yeah, it'd most likely need to be a fresh DO user, i.e., forest-automation
.
Issue summary
Right now, are personal keys are in the secrets, making it difficult for auditing changes on Digital Ocean (who deployed the service - was it David, Github on behalf of David or Hubert who found his key somewhere?).
There should be a distinct user (
forest-iac
,forest-automation
,leshy
...) that handles this and makes it easier to track changes. It is also good from a security standpoint.Other information and links