Skip to content

Duckbill Group client onboarding tooling.

Notifications You must be signed in to change notification settings

DuckbillGroup/onboarding

Repository files navigation

AWS CLI Role Creation

This repo contains tooling to create AWS IAM roles and policies that Duckbill Group will use to access your AWS accounts. We use role assumption rather than dedicated IAM users, and the scripts and templates here will enable you to create those resources in your AWS account.

Our IAM role should ideally be set up in every AWS account you have. If that’s not feasible, then please apply it to your master payer account and your largest (by spend) accounts. (Exception: the SkywayRole role only needs to be set up in your payer account.)

More details about how we access client accounts, and the details of our internal operations with such, can be found in our writeup about overhauling AWS access in 2023.

Prerequisites

You'll need the AWS CLI installed and configured for your target AWS account. Your AWS user will need to have privileges to create IAM roles and policies in your target account.

Creating Resources

From this directory, create the IAM role and policies via our role creation script:

$ make create

The script will prompt you for a couple of required parameters:

Customer Name Slug: This is a short, lower-case slug that identifies your company, e.g. acme-corp. Duckbill Group provided this to you in the Client Onboarding Guide.

External ID: The External ID used when Duckbill assumes the role. Duckbill Group provided this to you in the Client Onboarding Guide.

Deleting Resources

After we've completed our engagement, you can delete our IAM role and policy resources from your AWS account:

$ make delete

Note that this won't automatically delete the Data Export we're creating, since you may end up using it yourself.

If you prefer or need to use the AWS console, you can delete the resources manually.

Deleting Resources Manually

Log into the AWS console,

  • navigate to IAM > Policies and delete: DuckbillGroupBilling, SkywayAccess, DuckbillGroupResourceDiscovery, DuckbillGroupDenySensitiveAccess
  • navigate to IAM > Roles and delete DuckbillGroupRole and SkywayRole
  • navigate to Data Exports and delete the export skyway-export

What this code does

  • Creates two roles titled DuckbillGroupRole and SkywayRole
  • Creates custom policies: DuckbillGroupBilling, DuckbillGroupResourceDiscovery, DuckbillGroupDenySensitiveAccess, SkywayAccess
  • Attaches the policies prefixed with DuckbillGroup to the DuckbillGroupRole role, along with the AWS-managed policy ViewOnlyAccess
  • Attaches the policy SkywayAccess to the SkywayRole role
  • Creates a Data Export in the payer account called skyway-export

Access diagram

Policy: DuckbillGroupBilling and SkywayAccess

This policies defines access related to AWS billing actions. Everything is read-only.

Policy: DuckbillGroupResourceDiscovery

This policy is an extension of the AWS-managed policy ViewOnlyAccess and defines more view-only actions that weren't included in the AWS-managed policy.

Policy: DuckbillGroupDenySensitiveAccess

This policy adds explicit denials for certain actions that are read-only but may be considered sensitive, such as s3:GetObject. This is a fork of the work done by Chris Farris to enumerate sensitive read-only actions in AWS.

Developer Information

We lint our shell scripts with shellcheck and JSON with python -m json.tool, which runs in CI on every PR. If you have shellcheck and python installed locally, you can run the linter:

$ make lint

About

Duckbill Group client onboarding tooling.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published