update aws acess doc for saml role mappings

Signed-off-by: Mark O Brien <markobri@redhat.com>
This commit is contained in:
Mark O Brien 2022-04-22 12:10:57 +01:00 committed by mobrien
parent 24b185baab
commit 508897bc70

View file

@ -60,20 +60,20 @@ You'll need this in the mapping below.
=== Adding a group to FAS
When finished, login to FAS and create a group to correspond to the new
When finished, login to ipa and create a group to correspond to the new
role. Use the prefix _aws-_ to denote new AWS roles in FAS. This makes
them easier to locate in a search.
It may be appropriate to set group ownership for _aws-_ groups to an
Infrastructure team principal, and then add others as users or sponsors.
This is especially worth considering for groups that have modify (full)
access to an AWS resource.
Add the relevant sponsors as appropriate to the group. If the group allows
a high level of access it should be monitored to ensure it is not being
misused.
=== Adding an IAM role mapping in Ipsilon
Add the new role mapping for FAS group to Role ARN in the ansible git
repo, under _roles/ipsilon/files/infofas.py_. Current mappings look like
this:
Clone the git repo available here: https://pagure.io/fedora-infra/ipsilon-fedora
Edit the file ipsilon/info/infofas.py add the new role mapping following
the examples below
....
aws_groups = {
@ -85,8 +85,9 @@ aws_groups = {
}
....
Add your mapping to the dictionary as shown. Start a new build/rollout
of the ipsilon project in openshift to make the changes live.
Add your mapping to the dictionary as shown. Create a pull request against
the ipsilon-fedora repo. When this is merged run the ipsilon playbook to take
in the new changes.
=== User accounts