pavithraes
commented
6 months ago Related: #107
Open viniciusdc opened 1 year ago
pavithraes
commented
6 months ago Related: #107
Adam-D-Lewis
commented
2 months ago This link suggests you can see permissions used on Azure through Entra or possibly AzureActivity - https://www.reddit.com/r/AZURE/comments/zg9mk6/any_way_to_audit_the_actual_usage_of_permissions/
viniciusdc
commented
2 months ago https://github.com/iann0036/iamlive It seems it supports Google Cloud and Azure too.
It was also suggested some time ago
Preliminary Checks
Summary
Right now, we redirect users to create their cloud credentials following the base docs on each cloud provider; the problem with this approach is that this might, in some cases, expect the user to have prior knowledge about the cloud provider infrastructure and cloud management, which is not always the case.
And while the provider docs do provide users with more than enough permissions to deploy Nebari, those sets of permissions are not restrictive (in the sense of providing access to some APIs or resources that Nebari does not need or use) and do not provide enough granularity when managing different projects or resources.
We need to explore each cloud provider's scopes/roles to create a custom set of permissions while generating Nebari cloud credentials. An example of such a system can be found here under Custom IAM.
This will benefit our in-depth docs in the future if a user requests detailed information on what nebari has access to or how they can adapt those accounts to their use cases or cloud policies.
One advantage of doing this exploration is that we can refine the credentials used by admins when deploying nebari and CI/CD tools when refreshing or deploying the application. This might become in handy in tracking the updated history of the resources using cloud APIs
Steps to Resolve this Issue
This will require the following: