Open dnaphas-vri opened 1 year ago
mgmtAccountDeployerRoleStack
. I just deployed the roleStack
, which I might rename deployerRoleStack
, in the mgmt account.mgmtAccountReadRole
, deployed via OIDC, with trust permissions set up so that the app can assume it.I should probably figure out authentication via Cognito Identity User Pools and, ideally Active Directory. Probably better to not have a public view listing AWS accounts for an org.
The IdP should live in a separate repo, stack, and account from Cabana. That will mimic how it will actually be used. I could use IAM Identity Center to start with, and then have a separate deployment? Of the same Cabana repo? In a separate account that shows how to use it with AD.
Regarding overall system architecture, I'll use tagging, with access control to prevent messing up the tags, instead of maintaining a shadow database living in Cabana keeping track of accounts.
Add a view that lists the accounts in your org.