update aws acess doc for saml role mappings

Signed-off-by: Mark O Brien <markobri@redhat.com>
2022-04-22 12:10:57 +01:00 · 2022-04-22 12:10:57 +01:00 · 508897bc70
commit 508897bc70
parent 24b185baab
1 changed files with 11 additions and 10 deletions
--- a/modules/sysadmin_guide/pages/aws-access.adoc
+++ b/modules/sysadmin_guide/pages/aws-access.adoc
@ -60,20 +60,20 @@ You'll need this in the mapping below.

 === Adding a group to FAS

-When finished, login to FAS and create a group to correspond to the new
+When finished, login to ipa and create a group to correspond to the new
 role. Use the prefix _aws-_ to denote new AWS roles in FAS. This makes
 them easier to locate in a search.

-It may be appropriate to set group ownership for _aws-_ groups to an
-Infrastructure team principal, and then add others as users or sponsors.
-This is especially worth considering for groups that have modify (full)
-access to an AWS resource.
+Add the relevant sponsors as appropriate to the group. If the group allows
+a high level of access it should be monitored to ensure it is not being
+misused.

 === Adding an IAM role mapping in Ipsilon

-Add the new role mapping for FAS group to Role ARN in the ansible git
-repo, under _roles/ipsilon/files/infofas.py_. Current mappings look like
-this:
+Clone the git repo available here: https://pagure.io/fedora-infra/ipsilon-fedora
+
+Edit the file ipsilon/info/infofas.py add the new role mapping following
+the examples below

 ....
 aws_groups = {
@ -85,8 +85,9 @@ aws_groups = {
 }
 ....

-Add your mapping to the dictionary as shown. Start a new build/rollout
-of the ipsilon project in openshift to make the changes live.
+Add your mapping to the dictionary as shown. Create a pull request against
+the ipsilon-fedora repo. When this is merged run the ipsilon playbook to take
+in the new changes.

 === User accounts