Agreed. What type of app requires you to give up your credentials to something as sensitive as your infrastructures credentials?! No fucking way. Fix this asap.
Edit: Any admin that gives these up should probably not be in the role they are. I'd fire someone over something like this. The OP commented further down that "64%" gave up their credentials. I think their bosses need to know about that or their clients should be warned.
I don't care who this guys is and how much assurance he can offer; there is no reason for this.
Thanks for the feedback. Can I ask what you would suggest as an alternative for people wanting to try the product? Our app is useless without access to the AWS APIs, and although IAM credentials could be created (as people below have), for the app to be fully functional it would require near full access permissions anyway.
We definitely need to give more before users have to enter their credentials, like a tutorial and demo video which are in the works, but as far as actually using the product, I don't see a way around it.
As noted below, this is actually very common. RightScale, Scalr, OpDemand, NewVem, and all other AWS third party tools require this information.
Not trying to say you are wrong, you're not, it's rightfully a big concern for people, but unless AWS change the way their APIs work, what are we supposed to do?
That's a good idea, although it would limit the features to just being a diagramming tool, but at least they can take a look. Really good suggestion, will give it some consideration, thanks.
It allowed me in to at least test out the interface, where I was able to determine that some of the pretty stuff on the home page (autoscaling, for example) doesn't seem to be available yet.
Sorry, I tried to get a balance between showing what we currently support and what we are working towards on the homepage, not sure if I got it right.
RDS support is coming soon (approximately one month) and ELB support to be added shortly after that. AutoScaling and Availability Zones are both high priority, but we have very limited resources and I can't commit to a timeframe at the moment.
Thanks for creating IAM credentials and trying us out. If you have any suggestions on how to improved credential handling, please let me know.
Thanks for the honest criticism. I mostly agree and a video demo is in the works, although a full dummy demo would divert considerable resources away from developing the product at this stage.
If you are asking for AWS credentials, you should really provide a IAM template that is preconfigured with all the "READ ONLY" access API endpoints that you require.
Because we launch instances and volumes, create AMIs, SnapShots, KeyPairs and security groups, read only access would not suffice. We have considered creating an IAM template, but it would need nearly the same permissions as full access. But it would probably still be a good idea for users who aren't comfortable, at least that way they can see exactly what is required. I'll revisit this, thank you.
I'm curious to see how well you guys get on asking for users to supply their AWS credentials. That used to be by far the most common feature request for S3stat, namely a way to use the thing without having to hand across your secret key.
I imagine you could allow your users to create IAM accounts with exactly the permissions they'd need for you to do your thing, but it seems like you pretty much need full control to be at all useful.
It certainly has been an issue, lots of requests and suggestions to make entering AWS credentials optional, but as you say, without the right permissions it would be useless.
Fortunately, it's the same for all third party tools which rely on APIs, no way around it, so a lot of users are used to having to give them out.
I'll share some stats from our small sample size so far: 63% of users who requested an invite then logged in, then of those users 64% entered their credentials, albeit with quite a bit of coaxing and reassurance.
I wouldn't call users being used to give out their full AWS credentials "fortunate". I know that's not exactly what you were trying to see, but still the thought makes me shudder ...
You might consider a CloudFormation designer that works up to so many machines (say 15?). That way people could drop the CF file into AWS and build out a cluster.
When they realize how awesome it is they could upgrade to the plan thats monitors the cluster (and builds out larger clusters or provisions new ones).
That's a great idea, thank you. We are planning to add import/export to CloudFormation anyway, but what you are suggesting sounds like we wouldn't even have to ask for any credentials (as long as the user isn't using custom AMIs/SnapShots) and could be a good introduction. I will think about this more, thanks a lot!
You are inherently saying this means something by choosing to pick it out and highlight it. Back to Harry Potter and the Methods of Rationality for you ;).
It is fair to point this out, it is an understandable concern to people where a company is located, especially when dealing with sensitive data.
We don't try to hide the fact that we are based in Beijing (it is our location on our Twitter profile and there are several mentions of China in our blog) but we don't want to overly promote the fact either, for exactly this reason.
How does the knowledge that we are a Chinese company effect your decisions regarding our product? After finding this out did you go on to register and link with your AWS credentials?
Obviously, we can't help where we are located at this stage of the company, but I'd love to hear how you would recommend handling this from a business point of view.
Does MadeiraCloud let you set up anything other than EBS volumes & EC2 instances w/ firewall rules? Not sure how useful it is atm if that is all one can accomplish.
Yes, the live version currently only supports EBS and EC2, with RDS following soon (approximately one month) and ELB support to be added shortly after that.
I appreciate that the currently supported services does limit the scope of applications that our features could be useful for, but we felt that there are still a lot of people who can benefit from them right now and we wanted to get something out there early to get feedback. For sharing, for example, companies like http://labslice.com/ only support EC2 on its own.
There's more shown on the site's home page than is currently available in the actual UI. Guessing a lot left to be implemented and we're seeing just the "here's what'll eventually be possible" view on the "features" screens.
You are correct. We wanted to get something out to get feedback on and wanted to balance disappointing people with showing what we are working towards on the promotional site. The features on the homepage will all be available for use in the next few months, plus some additional ones not mentioned that we are very excited about.
Impressive site and an innovative approach in what is only going to become a more and more crowded space.
Would you be able to share an indication of the take up you've had so far? Secondly, are you seeing users move from a free account to the premium, as they understand the possibilities available with the higher capacity for apps?
Thank you very much! It is indeed, but we haven't come across anyone who takes our approach, so hopefully it will be enough to differentiate ourselves.
We launched our private beta in February and haven't done any paid marketing since then, all our users have been from word of mouth, media exposure and of course, the great HN. We 'launched' at an early stage and have been iterating since. Currently we have less than 700 free beta users and we are not offering the premium service yet until we have implemented our MVP feature-set and have ironed out any bugs our beta users report. I will be more than happy to share this information in the future.
Do you think it's too similar? I love the dark design of Heroku, and obviously we also have purple branding, but I didn't think beyond that it was too similar.
I'll take it as a compliment, Heroku has a brilliant site and I hope ours can be as good but not appear to be anything close to a copy. It wasn't actually a reference during the design.
Do you have any suggestions on anything to change to make it less similar in your eyes?
Herkou is famous as being the first Rails PaaS to gain traction that was really "easy" to get started and push live.
This experience felt very similar - an impressive feit indeed, a similar feeling to what Herkou instilled the first time I saw their service.
The drag-and-drop web architecture super-easy-deployathon has that same slick awesome vibe (which is a good thing!), but coupling that with a similar layout, color scheme, and information architecture and its the first thing I jumped to.
Not a bad connection per se, but the original thought was "the guy that did the www site sweats herkou hard".
Haha. Well I am the designer of the www, my and ide site, and whilst I like Heroku's site, I don't "sweat it hard"!
But seriously, thanks for this, I thought beyond the dark colour scheme and (very different shades of) purple there wasn't much more similarity. Next time I'm doing some redesigning I'll try and move it a bit further away.
Unfortunately, our app relies on the AWS APIs, so without your credentials there's not a lot you will be able to do. We combined the AWS and password forms because we were getting a lot of support requests from people not entering them, so we felt it was best to force it early on.
Yeah, no problem there, but when I first signed up and clicked the link in my email it said I wouldnt be able to use that link to login again. I wasnt ready to provide my AWS info at that time, because I didnt have time to do it but I did have time to make an account. Now I dont have a password and I cant get back into my account for good?
Aha.. I see, great point, thank you. You are right, that definitely needs changing. You should still be able to reset your password, but obviously that's a pretty poor process. I'll look in to changing that right away, thanks again.
We're not, no, but it is a beautiful word and also happens to be a South American river which is the largest tributary to some other river in the rainforest ;-)
Nobody in their right mind gives you their AWS-credentials just to get a glimpse at your product.