dfezzie
commented
4 years ago Can you elaborate some on any specific situations where account boundaries are not sufficient? Just want to get a better context and understand your use case 👍
Open buzzsurfr opened 4 years ago
dfezzie
commented
4 years ago Can you elaborate some on any specific situations where account boundaries are not sufficient? Just want to get a better context and understand your use case 👍
buzzsurfr
commented
4 years ago Sure! One such scenario is for multiple development teams with a central operations team that use the same AWS account (and adding more AWS adds complexity). The central team would manage the virtual gateways (or a gateway-like virtual node) and not want to allow other teams to change route behavior to the central ingress location. In the same scenario, one development team does not want to allow another development team to modify routes or settings for their virtual services and nodes, or the security team wants to enact least permissions for each development team to only change resources assigned to them.
Tell us about your request App Mesh will enable authorization at the resource level, including resource prefixes. This will allow customers to create IAM policies and roles for specific resources or groups of resources in App Mesh. These roles can be assumed by multiple accounts, in order to enable multiple accounts to operate in the same mesh, with well-defined resource-level authorizations for each roles.
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Are you currently working around this issue? Currently building a single mesh across accounts and using the account boundary to separate permissions, but this doesn't work in every context.
Additional context This is not a duplicate of #20, which was originally focused on cross-account mesh (which has shipped). Simultaneously requesting to rename #20 back to "Mesh across services deployed in different AWS accounts".