I'm looking for advice on automating IAM user management using Terraform in our development workflow. Right now, we have an issue where our process is mainly manual, causing delays and lack of tracking. Here's the current workflow: when a developer needs AWS access, they send a message via Slack to our IT team, which then takes 2-3 days to create an IAM user or add them to a group. This slows down deployments significantly, and there's no audit trail of approvals.
We've tried integrating AWS IAM Identity Center with our Okta setup, but that hasn't worked out smoothly. Additionally, we've looked into Just-In-Time (JIT) access tools, but the IT team prefers to maintain control. Building custom automation isn't feasible right now due to time constraints.
I'm curious about how others are handling IAM within their DevOps workflows. I'm in search of a solution that aligns with our preference for git-based approvals and is compatible with Terraform, while also being something the IT team would be willing to accept.
5 Answers
I think your barrier is more about process than technology. I agree, you should look into an Identity Governance and Administration (IGA) tool that handles access requests automatically. That would streamline user assignments without relying on Slack messages.
It sounds like you're having some integration hiccups with Okta and IAM Identity Center. Usually, Okta should work seamlessly with Identity Center for user and group synchronization using SCIM. Have you looked into what specific issues you're experiencing? That detail could really help narrow down possible solutions.
We use Okta without any issues with IAM Identity Center. Honestly, if you're still creating IAM users in 2023, you're missing out on the benefits of SSO. Have you considered using SAML for authenticating users? That way, you can manage higher privilege roles without bogging down IT.
I totally get where you're coming from. I'd recommend setting up a system where your Identity Provider dictates roles and groups automatically. If you can make these requests work through an 'Access Package' model, then the turnaround times could really improve, especially if approvers act quickly.
From what it sounds like, your trouble might be in the identity-to-role mappings. Why are you making IAM users at all? Automate role assignments through your Identity Provider with a well-configured federation setup, and your permissions flow should get significantly faster!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures