Request to Enable Single Sign On on AWS Accounts- SRE Accounts (~25)
Categories
(Infrastructure & Operations :: SRE, task)
Tracking
(Not tracked)
People
(Reporter: schu, Assigned: limed)
References
Details
AWS project to standardize accounts and enable Mozilla Single Sign On (SSO)
The instructions can be found here: https://mana.mozilla.org/wiki/display/SECURITY/AWS+Federated+Login+Account+Setup
For the following accounts:
058419420086
095732026120
177680776199
178589013767
222455217982
246013728370
324161760293
329567179436
333683252453
359555865025
412902012385
503205249670
517826968395
558986605633
589768463761
598097830519
633020870034
645554471334
723362035877
921547910285
Update 4/20 - We need to account for these accounts as well:
783633885093 - itsre-apps
903937621340 - mozilla-subhub
After discussion with Ed and Tristan, SE team will do the following accounts by end of 7/31 (Steps 1-3 from Mana Instructions) and Clean up and close out of accounts will occur by 8/31.
058419420086
095732026120
177680776199
178589013767
222455217982
246013728370
324161760293
329567179436
333683252453
359555865025
412902012385
517826968395
558986605633
589768463761
598097830519
633020870034
723362035877
921547910285
342958218804
369987351092
511311476423
884003976652
644164654150
783633885093
903937621340
Comment 2•4 years ago
|
||
Account 329567179436
- Cleanup tasks completed
- Custom Auth0 rules for SAML integration removed
- Auth0 client/app
XA2fOQITX6rGNHy8DI3KuuRdccaKwsM6
AWS Consolidated Billing - Temporary Admin
deleted - Auth0 client/app
koX1ze40wpoUovVV3RA7K79uTlxpbZFp
AWS Consolidated Billing - Read Only
deleted
Comment 3•4 years ago
|
||
Hey Ed it looks like the following account has a user in them but they've been marked as "Cleaned Out" "Done" in the spreadsheet. I'll change delete the "Done" from the spreadsheet. Would you work with the teams to get this user removed?
324161760293
devadmin
Assignee | ||
Comment 4•4 years ago
|
||
(In reply to Gene Wood [:gene] from comment #3)
Hey Ed it looks like the following account has a user in them but they've been marked as "Cleaned Out" "Done" in the spreadsheet. I'll change delete the "Done" from the spreadsheet. Would you work with the teams to get this user removed?
324161760293
devadmin
The user is now deleted
Comment 5•4 years ago
|
||
Would you tear down the SAML SSO integration in 329567179436 Consolidated Billing
This includes
- deleting the IAM identity providers
- deleting the Auth0 clients (jabba can help)
- deleting the IAM roles that have trust policies that use those identity providers
- deleting the SSO dashboard records
Assignee | ||
Comment 6•4 years ago
•
|
||
(In reply to Gene Wood [:gene] from comment #5)
Would you tear down the SAML SSO integration in 329567179436 Consolidated Billing
This includes
- deleting the IAM identity providers
Odd, terraform should have done this for me but I think the state was in a messy place so I removed this manually
- deleting the Auth0 clients (jabba can help)
Will reach out to jabba for this
- deleting the IAM roles that have trust policies that use those identity providers
This is also done
I have a PR https://github.com/mozilla-iam/sso-dashboard-configuration/pull/381/files waiting for merge
Comment 7•4 years ago
|
||
Will reach out to jabba for this
Can you share the ticket that's being tracked in (the removal of the client ids)?
LQYqFky3PtgLBRanO6bQjMTjEgQgTv5L
XA2fOQITX6rGNHy8DI3KuuRdccaKwsM6
koX1ze40wpoUovVV3RA7K79uTlxpbZFp
I have a PR https://github.com/mozilla-iam/sso-dashboard-configuration/pull/381/files waiting for merge
I've merged it
Assignee | ||
Comment 8•4 years ago
|
||
Talk(In reply to Gene Wood [:gene] from comment #7)
Will reach out to jabba for this
Can you share the ticket that's being tracked in (the removal of the client ids)?
LQYqFky3PtgLBRanO6bQjMTjEgQgTv5L XA2fOQITX6rGNHy8DI3KuuRdccaKwsM6 koX1ze40wpoUovVV3RA7K79uTlxpbZFp
Talked to :jabba he said that it was already deleted and there isn't any of those client_id
listed on auth0
Comment 9•4 years ago
•
|
||
Excellent, thank you.
Ed, can the elim
IAM user and arn:aws:iam::329567179436:role/itsre/AdminRole
and arn:aws:iam::329567179436:role/itsre/ReadOnlyRole
roles be removed from the Consolidated Billing 329567179436 AWS Account?
Assignee | ||
Comment 10•4 years ago
|
||
(In reply to Gene Wood [:gene] from comment #9)
Excellent, thank you.
Ed, can the
elim
IAM user andarn:aws:iam::329567179436:role/itsre/AdminRole
andarn:aws:iam::329567179436:role/itsre/ReadOnlyRole
roles be removed from the Consolidated Billing 329567179436 AWS Account?
This is done, completed in https://github.com/mozilla-it/moz-consolidated-billing/pull/15 (not sure if you can see that PR since its a private repo)
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 11•4 years ago
|
||
My bad for resolving
Updated•4 years ago
|
Comment 12•4 years ago
|
||
Here are the IAM users that still need to be deleted
- 095732026120
- akatsoulas
- 177680776199
- adelbarrio
- afrank
- elim
- sidler
- 342958218804
- mbalfanz
- 558986605633
- bpeiris
- gfodor
- jmarinacci
- jshaughnessy
- klee
- larsberg
- netpro2k
- plamb
- rlong
- rwilson
- 644164654150
- tdaede
- 783633885093
- afrank-dev
- 884003976652
- andrenatal
- dbryant
- mrstegeman
Ed, could you delete these users (assuming they've cutover to using SSO)?
Assignee | ||
Comment 13•4 years ago
|
||
The following was deleted
095732026120
akatsoulas
177680776199
adelbarrio
afrank
elim
sidler
342958218804
mbalfanz
644164654150
tdaede
884003976652
andrenatal
dbryant
783633885093
afrank-dev
558986605633
gfodor
larsberg
plamb
rwilson
jmarinacci
jshaughnessy
bpeiris
That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this
558986605633
klee
netpro2k
rlong
884003976652
mrstegeman
For account 558986605633
the account netpro2k
looks like a service account and shouldn't be on the list
Comment 14•4 years ago
|
||
The following was deleted
Excellent, thank you.
For account 558986605633 the account netpro2k looks like a service account and shouldn't be on the list
netpro2k
is actually the nick for Dominick D'Aniello. I know I was also confused by it.
That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this
Thank you. When should I check back, 9/9/2020?
Assignee | ||
Comment 15•4 years ago
|
||
(In reply to Gene Wood [:gene] from comment #14)
The following was deleted
Excellent, thank you.
For account 558986605633 the account netpro2k looks like a service account and shouldn't be on the list
netpro2k
is actually the nick for Dominick D'Aniello. I know I was also confused by it.
I'll chase this one done
That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this
Thank you. When should I check back, 9/9/2020?
Since this is a short week check back mid week 9/16/2020 perhaps?
Comment hidden (duplicate) |
Comment 17•4 years ago
|
||
That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this
558986605633
klee
netpro2k
rlong
884003976652
mrstegeman
Ed, you'd asked me to check back 9/16/2020. Are these IAM users now deleted?
Comment 18•4 years ago
|
||
I met with Ed today
558986605633
Ed will try to delete users by tomorrow. I will meet with him again tomorrow to get an update.
884003976652
I wrote to David Bryant and Mike Stegeman :
Ya, this is the last IAM user and last AWS account we need to custover to SSO so I'd prefer to finish it now instead of in 4 months. I'm also happy to do whatever work is needed to make it happen.
I've created this Mozillians group
https://mozillians.org/en-US/group/project-link-aws-admin/
and sent invites to both of you
Mike, it looks like you have this mozillians account : https://mozillians.org/en-US/u/mstegeman/
though it's bound to your @mozilla.com email address. Can you access it? If not I can get your personal email ( michael@stegeman.me ) added if you like. Let me know if that sounds ok.
David, once you accept that group invite in your email you should be in.
Mike, would you be able to create an IAM user with an API key that's dedicated to CI (and doesn't have admin rights) to be used by the https://github.com/mozilla-iot/addon-list ,https://github.com/mozilla-iot/addon-builder CI integrations? If you'd like I can help set those up or we can zoom and knock it out pretty quickly.
Ed would you create the IAM Role to use the new mozillians group "mozilliansorg_project-link-aws-admin"?
Here's the previous communications
Hi Ed,
I do not have a Mozillians account... How soon are you looking to shut down the local IAM accounts? It seems like I'll only need access through the end of the year, and probably less than that in reality.
The access keys are primarily used by these two repositories, via GitHub CI:
https://github.com/mozilla-iot/addon-list https://github.com/mozilla-iot/addon-builder
I don't believe there is anything else actively using them, and really, I've been wanting to move away from S3 for those jobs anyway, so automated access would then cease.
-Michael
From: Ed Lim
To: Michael Stegeman
Cc: David Bryant
Subject: Re: Project-link AWS account
Date: Mon, 14 Sep 2020 15:56:29 -0700Hi Michael,
We're trying to get away from using local IAM accounts as a login, do you have a mozillians account? If not you should try to create one, we can grant access to the AWS account using SSO through mozillians so if you have one you should go ahead and create one.I noticed that there are access keys on your account that are also used daily, is that for automation purposes that you run daily or something? If so we should convert that to something like a service account that is not associated with your IAM user and will also potentially have a more scoped permission vs just administrator access for now. Do you mind telling me where this CI job is run in github? I would be happy to create a service account for you, thanks
Assignee | ||
Comment 19•4 years ago
|
||
Users in 558986605633
account has been deleted so the "mixed-reality" account is considered done
All that remains is 884003976652
and as of comment 18 we are working through the problem to get the last remaining user access
Comment 20•4 years ago
|
||
I worked with the two users in AWS account 884003976652
last week, got them setup on SSO and had the one AWS IAM user removed.
884003976652
is now done.
Thanks for all the help with this Ed.
Description
•