VerticalRelevance / cabana

An application for managing pools of AWS accounts.

Apache License 2.0

0 stars 0 forks source link

Account list web view #8

Open dnaphas-vri opened 1 year ago

dnaphas-vri commented 1 year ago

Add a view that lists the accounts in your org.

douglasnaphas commented 1 year ago

TODO

[ ] Add a mgmtAccountDeployerRoleStack. I just deployed the roleStack, which I might rename deployerRoleStack, in the mgmt account.
[ ] Add a mgmtAccountReadRole, deployed via OIDC, with trust permissions set up so that the app can assume it.

douglasnaphas commented 1 year ago

I should probably figure out authentication via Cognito ~~Identity~~ User Pools and, ideally Active Directory. Probably better to not have a public view listing AWS accounts for an org.

douglasnaphas commented 1 year ago

https://aws.amazon.com/blogs/security/role-based-access-control-using-amazon-cognito-and-an-external-identity-provider/

douglasnaphas commented 1 year ago

The IdP should live in a separate repo, stack, and account from Cabana. That will mimic how it will actually be used. I could use IAM Identity Center to start with, and then have a separate deployment? Of the same Cabana repo? In a separate account that shows how to use it with AD.

douglasnaphas commented 1 year ago

Regarding overall system architecture, I'll use tagging, with access control to prevent messing up the tags, instead of maintaining a shadow database living in Cabana keeping track of accounts.