update aws acess doc for saml role mappings
Signed-off-by: Mark O Brien <markobri@redhat.com>
This commit is contained in:
parent
24b185baab
commit
508897bc70
1 changed files with 11 additions and 10 deletions
|
@ -60,20 +60,20 @@ You'll need this in the mapping below.
|
|||
|
||||
=== Adding a group to FAS
|
||||
|
||||
When finished, login to FAS and create a group to correspond to the new
|
||||
When finished, login to ipa and create a group to correspond to the new
|
||||
role. Use the prefix _aws-_ to denote new AWS roles in FAS. This makes
|
||||
them easier to locate in a search.
|
||||
|
||||
It may be appropriate to set group ownership for _aws-_ groups to an
|
||||
Infrastructure team principal, and then add others as users or sponsors.
|
||||
This is especially worth considering for groups that have modify (full)
|
||||
access to an AWS resource.
|
||||
Add the relevant sponsors as appropriate to the group. If the group allows
|
||||
a high level of access it should be monitored to ensure it is not being
|
||||
misused.
|
||||
|
||||
=== Adding an IAM role mapping in Ipsilon
|
||||
|
||||
Add the new role mapping for FAS group to Role ARN in the ansible git
|
||||
repo, under _roles/ipsilon/files/infofas.py_. Current mappings look like
|
||||
this:
|
||||
Clone the git repo available here: https://pagure.io/fedora-infra/ipsilon-fedora
|
||||
|
||||
Edit the file ipsilon/info/infofas.py add the new role mapping following
|
||||
the examples below
|
||||
|
||||
....
|
||||
aws_groups = {
|
||||
|
@ -85,8 +85,9 @@ aws_groups = {
|
|||
}
|
||||
....
|
||||
|
||||
Add your mapping to the dictionary as shown. Start a new build/rollout
|
||||
of the ipsilon project in openshift to make the changes live.
|
||||
Add your mapping to the dictionary as shown. Create a pull request against
|
||||
the ipsilon-fedora repo. When this is merged run the ipsilon playbook to take
|
||||
in the new changes.
|
||||
|
||||
=== User accounts
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue