Switch to Role Based Auth in AWS Account

[BenGalewsky]

As an Accelerate Developer I want access to only the AWS resources I need so I can securely perform my job

Description

Create a Terraform script to create MDF connect server roll in AWS account. Assume that Ben B or someone with full permissions runs the terraform script to actually create the role and assign the permissions.

[WillEngler]

Brain dump for context:

I took a first stab at this in Ben's AWS account. Everyone is added to a garden_readonly group by default and can be added to a garden_dev group that has permissions to fiddle around in Lambda. People who need to stand up infra probably need garden_power_user. That said it's pretty broad and I will be very happy for someone else to take a second pass at it! (For example, there's nothing actually targeted to Garden about the groups. It just limits the AWS services the users can hit.)

As for MFA, I wasn't able to figure out how to require it on first log-in. The docs I found to manage that all went through the IAM Identity Center which I don't think we can use. The groups at least all have the ability to set up MFA and I just bugged people to set it up. But again, if someone else can figure out how to force it that would be awesome.

[WillEngler]

(And now I'm looking more at the IAM Identity Center docs and seeing that I should have looked harder at that. It's not as though I tried it and hit a roadblock. I just thought it was strictly for SSO integration. So I thought we couldn't use it because we hail from different institutions. But it seems like it lets you administer traditional password-based logins too, so maybe it's a good fit after all.)

[ericblau]

That's all great, @WillEngler. We can indeed create IAM users associated with roles that require MFA for login. We can also have roles that get associated with Github Actions (either through keys or SSO integrations.) I have created some roles associated with MDF Connect Serverless prototype AWS infrastructure--we need to determine what the "done" condition is for this task.

[ericblau]

Coming out of a discussion with BenG, I believe that what needs to happen here is that we need to have a terraform deployment that will create a role that has all the permissions necessary to deploy to a given namespace within the Accelerate account. Then, the MDF serverless deployment can be performed using this role (associated with its namespace).

[ascourtas]

Any updates to add to this issue for posterity? I believe this is almost done, yes?

[ericblau]

This is complete, and in the rolesinfra branch of the connect_server repo: https://github.com/materials-data-facility/connect_server/tree/rolesinfra/infra/adminrole

There are two separate terraform deployments. The first, in infra/adminrole only creates an IAM role with enough privileges to deploy the MDF connect server infrastructure (along with a group and relevant policies). The second, in infra/mdf creates a deployment of MDF Connect Server, creating both a prod and test instance. This second terraform deployment defines the role and policies that allow Github actions to modify the lambdas in the deployed MDF Connect Server.