At netguru.co we have to provide access for over 100 developers to different AWS accounts. Doing it from console or CLI was kind of a pain so I came up with this solution.
Basically, it "mirrors" structure from selected Github repository into AWS IAM Users, Groups and Policies. Everyone can request access to AWS account by creating pull request which must be Approved by a devops/cloud architect. Once merged, message will be send to SNS and then to Lambda which will take care of keeping everything synchronized.
Right now it does not support Cross-Account Access & Roles but I'm planning to implement it.
As Serverless already allows managing of IAM resources through the generic CloudFormwation resource support, where do you see the advantage of your approach instead of monitoring a Git repo and executing serverless deploy for each change in there?
That's pretty good idea, I haven't thought about it.
I think that my format is easier to understand. You don't have to use `Ref`s and weird `Fn::Join`s which may be not obvious for developers which are not experienced with CF.
At netguru.co we have to provide access for over 100 developers to different AWS accounts. Doing it from console or CLI was kind of a pain so I came up with this solution.
Basically, it "mirrors" structure from selected Github repository into AWS IAM Users, Groups and Policies. Everyone can request access to AWS account by creating pull request which must be Approved by a devops/cloud architect. Once merged, message will be send to SNS and then to Lambda which will take care of keeping everything synchronized.
Right now it does not support Cross-Account Access & Roles but I'm planning to implement it.
Let me know what do you think.