From 508897bc700ea52d783ef96952a17ae48e957a29 Mon Sep 17 00:00:00 2001 From: Mark O Brien Date: Fri, 22 Apr 2022 12:10:57 +0100 Subject: [PATCH] update aws acess doc for saml role mappings Signed-off-by: Mark O Brien --- modules/sysadmin_guide/pages/aws-access.adoc | 21 ++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/sysadmin_guide/pages/aws-access.adoc b/modules/sysadmin_guide/pages/aws-access.adoc index adc45c6..324c64c 100644 --- a/modules/sysadmin_guide/pages/aws-access.adoc +++ b/modules/sysadmin_guide/pages/aws-access.adoc @@ -60,20 +60,20 @@ You'll need this in the mapping below. === Adding a group to FAS -When finished, login to FAS and create a group to correspond to the new +When finished, login to ipa and create a group to correspond to the new role. Use the prefix _aws-_ to denote new AWS roles in FAS. This makes them easier to locate in a search. -It may be appropriate to set group ownership for _aws-_ groups to an -Infrastructure team principal, and then add others as users or sponsors. -This is especially worth considering for groups that have modify (full) -access to an AWS resource. +Add the relevant sponsors as appropriate to the group. If the group allows +a high level of access it should be monitored to ensure it is not being +misused. === Adding an IAM role mapping in Ipsilon -Add the new role mapping for FAS group to Role ARN in the ansible git -repo, under _roles/ipsilon/files/infofas.py_. Current mappings look like -this: +Clone the git repo available here: https://pagure.io/fedora-infra/ipsilon-fedora + +Edit the file ipsilon/info/infofas.py add the new role mapping following +the examples below .... aws_groups = { @@ -85,8 +85,9 @@ aws_groups = { } .... -Add your mapping to the dictionary as shown. Start a new build/rollout -of the ipsilon project in openshift to make the changes live. +Add your mapping to the dictionary as shown. Create a pull request against +the ipsilon-fedora repo. When this is merged run the ipsilon playbook to take +in the new changes. === User accounts