Closed Bug 1627820 Opened 4 years ago Closed 4 years ago

Request to Enable Single Sign On on AWS Accounts- Participation Systems Infra - 484535289196

Categories

(Community Building :: Systems and Data, task)

Product:
Community Building
Component:
Systems and Data
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: schu, Assigned: tasos)

References

Details

Hi,

We're reaching out to Mozillians who are responsible for AWS accounts in an effort to standardize the authentication methods used for all of Mozilla's AWS accounts.

By standardizing your account and enabling Mozilla Single Sign On (SSO), you'll be able to use your existing Mozilla SSO web browser session to access AWS (no more typing your AWS password or AWS MFA token needed) and avoid storing static AWS API keys on your laptop. We will improve our ability to de-provision users when an employee leaves, gain enhanced visibility and auditability if your AWS account is compromised, reduce risk of exposure of AWS API keys and avoid manual processes.

We've created a set of instructions for AWS account owner(s) to enable federated AWS login with Single Sign On in your AWS account. The instructions can be found here. We'd like this to be completed within 2 weeks (4/20/20).

After enabling Single Sign on in your AWS account, you'll be able to access your account via the AWS Web Console, the CLI or in code using these instructions.

Once your team has used AWS with Single Sign On for a few weeks, you'll be ready to remove the existing IAM users of the Mozillians that use your AWS account. We will likely follow up with you in this ticket about the removal of those IAM users when the time comes.

If, in the process of enabling Single Sign On in your AWS account, you encounter any problems or have any questions, feel free to ask them here in this bug.

If you'd like to learn more about this project, more detail about the tech and more ways you can implement this single sign on system you can find that on this page.

Blocks: 1626082
Flags: needinfo?(jgiannelos)

John would you be able to help or direct to who may be able to support?

Flags: needinfo?(tasos)

Hi Sarah, I will try to apply these changes by the end of this week. Hope this is OK?

Flags: needinfo?(tasos)

Hi Tasos, that works. Thanks!

Hi Taso, were you able to apply the changes? Any questions?

Hi Sarah, apologies for the delay. This has been rolled out and I can successfully log in using sso. I will clean up the old accounts in a week.

Assignee: nobody → tasos
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jgiannelos)
Resolution: --- → FIXED

Appreciate you working on this. Let's keep this bug open for now until the clean up of the accounts occur. Over the next 30 days, we would expect for there to be no cases of your team logging into the web console or interacting with the AWS API using their old IAM user API keys. We'll check back in 30 days for the account clean up. Step 4 in the link shows the instructions for deleting and disabling user roles: https://mana.mozilla.org/wiki/display/SECURITY/AWS+Federated+Login+Account+Setup#AWSFederatedLoginAccountSetup-Step4of4:Disablinganddeletinguserroles

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

:tasos,
Would you delete the limed IAM user as well?

Flags: needinfo?(tasos)

All the IAM users are deleted in the account. Only IAM users used by applications are left. Please let me know if there is anything that should be done for this account.

Flags: needinfo?(tasos)
Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED

Thanks Tasos!

See Also: → 1525717
You need to log in before you can comment on or make changes to this bug.