Request to Enable Single Sign On on AWS Accounts- Engineering Productivity - 8600 and Account ID: 423163539776
Categories
(Testing :: General, task)
Tracking
(Not tracked)
People
(Reporter: schu, Assigned: ahal)
References
Details
Attachments
(1 file)
|
24.13 KB,
image/png
|
Details |
sso login result
Hi,
We're reaching out to Mozillians who are responsible for AWS accounts in an effort to standardize the authentication methods used for all of Mozilla's AWS accounts.
By standardizing your account and enabling Mozilla Single Sign On (SSO), you'll be able to use your existing Mozilla SSO web browser session to access AWS (no more typing your AWS password or AWS MFA token needed) and avoid storing static AWS API keys on your laptop. We will improve our ability to deprovision users when an employee leaves, gain enhanced visibility and auditability if your AWS account is compromised, reduce risk of exposure of AWS API keys and avoid manual processes.
We've created a set of instructions for AWS account owner(s) to enable federated AWS login with Single Sign On in your AWS account. The instructions can be found here. We'd like this to be completed within 2 weeks (5/8/20).
After enabling Single Sign on in your AWS account, you'll be able to access your account via the AWS Web Console, the CLI or in code using these instructions.
Once your team has used AWS with Single Sign On for a few weeks, you'll be ready to remove the existing IAM users of the Mozillians that use your AWS account. We will likely follow up with you in this ticket about the removal of those IAM users when the time comes.
If, in the process of enabling Single Sign On in your AWS account, you encounter any problems or have any questions, feel free to ask them here in this bug.
If you'd like to learn more about this project, more detail about the tech and more ways you can implement this single sign on system you can find that on this page.
Kyle,
Since this AWS account is running 100% ActiveData now, are you up to doing this work?
|
||
Updated•5 years ago
|
|
|
||
Comment 2•5 years ago
|
||
This will be wonderful! I will start shortly
|
|
||
Comment 4•5 years ago
|
||
Sarah Chu - Sorry for the delay. Just wishing for hours in the day. Hopefully I start today so I can still ask questions.
|
|
||
Comment 5•5 years ago
|
||
I am stuck at "Test your new setup" in https://mana.mozilla.org/wiki/display/SECURITY/AWS+Federated+Login+Account+Setup
- I created a mozillians group called
aws-ateam, which appears under https://mozillians.org/en-CA/group/cia-aws/ I am not really sure what the true group name is. - In step 2 I used
mozilliansorg_aws-ateam - I performed step 3, but after much time the "Events" in the "Stacks" have "CREATE_IN_PROGRESS"
- Step 3 does not work: http://aws.sso.mozilla.com/?action=rebuild-group-role-map shows "Encountered error : Group Role Map rebuild initiated", maybe I just wait longer?
|
|
||
Comment 6•5 years ago
|
||
Going to https://aws.sso.mozilla.com/ I get "Please select a role:" with no options
|
||
Comment 7•5 years ago
|
||
What does https://sso.mozilla.com/info show for your user groups?
|
|
||
Comment 8•5 years ago
|
||
"groups": [
"mozilliansorg_heroku-members",
"mozilliansorg_cia-aws"
]
I will attempt step two with mozilliansorg_cia-aws. How can I remove the other group?
|
|
||
Comment 9•5 years ago
|
||
Attempted, and failed:
Stack [FederatedIAMRoles] already exists
I think the other must be deleted first
|
|
||
Comment 10•5 years ago
|
||
You need to delete a Mozillians group, is that correct?
|
|
||
Comment 11•5 years ago
|
||
I do not believe I need to delete the Mozillians group, rather I think the FederatedIAMRoles stack must be deleted: Step 3 says "Click this link to launch the "Quick create stack" UI to deploy the roles." Now I need the instructions to undo whatever that did. I hope that undoing that step will allow be to create a new stack with the correct Mozillians group ID.
|
|
||
Comment 12•5 years ago
|
||
To fully remove them, you need to remove:
- CloudFormation:
- FederatedIAMRoles
- IAM
- Roles
- MAWS-Admin
- MAWS-ViewOnly
- MAWS-ReadOnly
- Roles
That said, you should be able to edit the groups inside the IAM roles. Simply go to the Role and choose Trust relationships --> Edit trust relationship.
Lemme know if that doesn't work for you at all. Thanks!
|
Reporter | |
Comment 13•5 years ago
|
||
Hi Kyle, were you able to give it a try? Did it work out?
|
||
Comment 14•5 years ago
|
||
Kyle and I metup today and he got the IAM roles deployed.
|
|
||
Comment 15•5 years ago
|
||
Yes, I worked with gene to get the account to use SSO. I am leaving this open until I also get a Role connected with another mozillians group
|
|
Reporter | |
Comment 16•5 years ago
|
||
Great to hear that Kyle. After you get that Role connected, we want to make sure that the team is going through the SSO route vs logging into the web console or interacting with the AWS API using their old IAM user API keys. I'll check back in around 30 days.
We’ve added Step 4 for how to delete and disable user roles here : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Federated+Login+Account+Setup#AWSFederatedLoginAccountSetup-Step4of4:Disablinganddeletinguserroles
Thanks
|
|
Reporter | |
Comment 17•5 years ago
|
||
Hey Kyle, were you able to get the role connected?
|
|
||
Comment 18•5 years ago
|
||
Andrew, Greg,
Could you help with this? We're trying to find out what additional IAM Role and mozillians group Kyle was working on last month. Do you know remains to be done to ensure the folks that need access to this AWS account get it?
If you're short on context let me know (ping in slack and we can zoom for a few minutes).
|
Assignee | |
Comment 19•5 years ago
|
||
Kyle was PTO the last little while and just got back, I've just pinged him to check this bug out, he should be able to answer this a lot better than Greg or myself.
|
|
||
Comment 20•5 years ago
|
||
I am able to connect using https://aws.sso.mozilla.com/ I was able to perform some standard operations while using it.
I will check with ahal and gmierz to ensure they can connect too.
|
|
Reporter | |
Comment 21•5 years ago
|
||
Were your colleagues able to connect successfully?
|
|
Assignee | |
Comment 22•5 years ago
|
||
I was able to connect, I won't speak for gmierz. Thanks!
|
|
||
Comment 23•5 years ago
|
||
Yes, we can all connect. There is nothing left to do here.
|
|
||
Comment 24•5 years ago
|
||
:kyle,
Glad to hear! Would you go through and delete the IAM users and let me know when it's done or if you encounter problems?
|
|
||
Comment 25•5 years ago
|
||
There are a number of IAM users that are using application keys to access their accounts. I can not delete those users.
I can disable console access for everyone so that MAWS is the only way to get to the console:
- I did this for sparky, ahal, and myself.
- I have an email out to three others to confirm they no longer require the console.
|
|
Reporter | |
Comment 26•5 years ago
|
||
Hi Kyle, I sent you an invite for next week to have a quick chat.
|
|
||
Comment 27•5 years ago
|
||
Greg,
Could you take over completing this for Kyle? Here's what remains to be done :
- Confirm that both you and :ahal are able to access the Engineering Productivity (423163539776) AWS account by browsing to https://aws.sso.mozilla.com/
- Confirm that indeed the users that should have access to this AWS account are you and :ahal and not Bob Clary, ckolos and glob. If bc ckolos or glob are supposed to have access to the account, please have :ahal add them to the https://mozillians.org/en-CA/group/cia-aws/ mozillians group
- Confirm that if either you or :ahal access AWS using either the
awsclitool or any AWS SDKs that you have installed the Mozilla AWS CLI tool and confirmed that it works for you - Disable and then delete the existing AWS IAM Users which would include
- :ahal's user
ahalwhich hasn't been used in the past year - Bob Clary's
bcuser which hasn't been used in years - ckolos's
ckolosuser which was last used 3 months ago - Fubar's
fubaruser - glob's
globuser which he hasn't used in 9 months - glob's
glob-devandglob-dev-ses, neither of which have a password or active API key (they're disabled) - Kyle's
kyleuser - Your
sparkyuser
- :ahal's user
If you have questions or encounter challenges with any of these steps needinfo me and I can help.
Note : The Mozillians group that Kyle setup to govern access to AWS is https://mozillians.org/en-CA/group/cia-aws/
|
|
||
Comment 28•5 years ago
|
||
:ahal,
Greg asked to move this over to you, the steps that remain to be completed are just above in Comment 27. If you have any questions or challenges completing this, needinfo me and I can help.
-Gene
|
|
Assignee | |
Comment 29•5 years ago
|
||
(In reply to Gene Wood [:gene] from comment #27)
- Confirm that both you and :ahal are able to access the Engineering Productivity (423163539776) AWS account by browsing to https://aws.sso.mozilla.com/
Yes, I can connect.
- Confirm that indeed the users that should have access to this AWS account are you and :ahal and not Bob Clary, ckolos and glob. If bc ckolos or glob are supposed to have access to the account, please have :ahal add them to the https://mozillians.org/en-CA/group/cia-aws/ mozillians group
This sounds correct. I assume I can add them at any point in the future if it turns out they need access.
I'll leave 3 and 4 for our meeting later.
|
|
||
Comment 30•5 years ago
|
||
I assume I can add them at any point in the future if it turns out they need access.
Yes, you'd just add them to the mozillians access group (which you're the curator of)
|
|
||
Comment 31•5 years ago
|
||
:ahal and I metup today and
- confirmed that he and sparky can get in via SSO
- removed all IAM users except kyle which is disabled
:ahal will contact kyle to see if his IAM user's API key is used in any scripts or if it was just used for command line activities and will either delete the kyle IAM user or setup a new dedicated IAM user with an API keypair to swap in for whatever scripted stuff kyle had setup.
This AWS account is now cutover to using SSO
Description
•