AWS IAM Roles, a tale of unnecessary complexity

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Terraform Go aws-iam Cdk Golang

SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
Our great sponsors

  • terraform-cdk

    Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform

  • consoleme

    A Central Control Plane for AWS Permissions and Access

    • This is the way. I’ve seen this happen countless times. It’s happened to me too. It’s happened to colleagues.

    The worst case I’m aware of from first-hand knowledge was a large cluster of resources that got deployed for a product demo by a sales engineer and forgotten about. Turned into a nice ~$100,000 surprise in the quarterly budget.

    Netflix built a tool for managing IAM permission requests as an auditable workflow, called ConsoleMe: https://github.com/Netflix/consoleme

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

    SurveyJS logo

  • cerbos

    Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.

    • One potential solution: https://github.com/cerbos/cerbos. It's a standalone service (deployed alongside your app) which evaluates access decisions at runtime against contextual/arbitrary data on the principal and resources.

    In your case, your resource could be a "record" for more global yes/no decisions, or perhaps as a "field" for more granular cases. Things like "can only get last 4 digits of phone number" could be achieved through attribute-based conditions set within the policies.

    > I really liked the policy approach of IAM so my plan was to let data owners define policies that are then applied to users, groups, and roles

    An advantage of Cerbos is that policies are defined and deployed separately from business logic in (yaml/json) config files, so no changes are required in code when policies need updating.

    > At run time our coordinator engine will check levels of access to each query

    Can't wrap my head around this particular part - is this checking if an entity can or cannot run a particular query, or specifically based on the "things" the query is returning?

    (as a disclaimer I should mention that I work there, although Cerbos itself is Apache 2 licensed and completely free to use)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts