Hi folks Next step in our quest to have usable AWS accounts is user handling.
I looked into the available options. Those are local account or federation via SAML or OpenID Connect. Federation needs both an external user source and some glue, due to the internal handling in AWS. Local users work, but require either some sync tool or manual user setup, and most likely manual password handling. SAML federation is weird and I found no IdP implementation that allows proper specification of the required user attributes. I would like to use OpenID Connect federation against salsa.debian.org for now. This needs some glue in form of a small web application I implemented.[1] The login is reachable via https://awsauth.debian.net/ This setup trusts the following services: - salsa.debian.org for proper authentication and providing group information. - awsauth.debian.net for translating group information into AWS roles. It can't change user information, as the used ID token is signed by salsa. Regards, Bastian [1]: https://salsa.debian.org/waldi/oidc-aws -- A Vulcan can no sooner be disloyal than he can exist without breathing. -- Kirk, "The Menagerie", stardate 3012.4