Feature/auth quickstart #48
Conversation
joshmarsh
requested review from
AmudaPalani,
eschwartz,
marinatedpork and
nathanagood
|
|
||
| ## Deploying DCE | ||
|
|
||
| 1. [Download and install the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) |
There was a problem hiding this comment.
I would tweak this a bit. The AWS CLI isn't actually a dependency of the DCE CLI, right? We're just borrowing the ~/.aws/credentials file to load creds.
But we can also load creds from env vars.
Note quite sure the best wording for this. The AWS docs on this are a little messy.
Checkout how Terraform talks through it: https://www.terraform.io/docs/providers/aws/index.html#shared-credentials-file (though that's a lot more verbose than we need)
Or see the AWS CLI order of precedence:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#config-settings-and-precedence
Note that we also have another way to load AWS creds, from the api.token config in dce.yml, which is populated by the dce auth command.
I'm thinking maybe we just need a separate section or page to cover AWS creds.
There was a problem hiding this comment.
Unfortunately we are using the aws cli as a dependency here.
I think we discussed using the aws cli to manage creds in a way that was platform agnostic a while ago. I've since discovered build constraints and believe we should use those instead. This should be done as a seperate PR: #49
Thanks for the helpful links. I'll go ahead and update this section.
docs/quickstart.md
Outdated
|
|
||
| ## Authenticating with the DCE System | ||
|
|
||
| DCE uses AWS Cognito to manager authentication and authorization. |
There was a problem hiding this comment.
DCE CLI uses AWS Cognito to manager manage authentication and authorization.
There was a problem hiding this comment.
I'm not sure if I agree with this. Users that want to hit the API directly don't currently have an alternative auth mechanism than to use Cognito.
While the current experience of logging into a web page isn't geared towards API users, I wouldn't call Cognito a CLI only feature unless we have plans to introduce an alternative auth mechanism for non-CLI users.
| region: us-east-1 | ||
| ``` | ||
|
|
||
| ## Authenticating with the DCE System |
There was a problem hiding this comment.
This is awesome. Thanks for putting this together @joshmarsh.
I'm going to try running through all this, and let you know how it goes
|
|
||
| DCE uses AWS Cognito to manager authentication and authorization. | ||
|
|
||
| 1. Open the AWS Console in your DCE Master Account and Navigate to AWS Cognito by typing `Cognito` in the search bar |
There was a problem hiding this comment.
Might be worth a little intro here, explaining what we're doing
(ie. that we're manually setting up a user pool, though you can also federate with third party IDPs)
Also maybe a note like:
We'll walk through setting this up in the AWS web console, but note that all of these operations can be automated using the AWS Cognito CLI or SDKs
docs/quickstart.md
Outdated
| ➜ ~ dce accounts add --account-id 555555555555 --admin-role-arn arn:aws:iam::555555555555:role/DCEMasterAccess | ||
| ``` | ||
| ``` | ||
| ➜ ~ dce accounts add --account-id 555555555555 --admin-role-arn arn:aws:iam::555555555555:role/DCEMasterAccess |
There was a problem hiding this comment.
I would cut these little ➜ ~ prompts. They're kind of confusing.
| region: us-east-1 | ||
| ``` | ||
|
|
||
| ## Authenticating with the DCE System |
There was a problem hiding this comment.
Probably worth pointing out here that Cognito is an option for authenticating against DCE.
You can also use straight up AWS creds (shared creds file, env vars, ec2 metadata, etc), and DCE will treat you as an admin user.
There was a problem hiding this comment.
Just thinking that in my mind "Quick Start" is how some dev is setting this up on their own AWS account, to test it out. They don't really need to do anything with Cognito in that case.
Cognito auth is a more advanced use case, where you're actually federating in with your enterprise's IDP.
There was a problem hiding this comment.
I don’t disagree, but I do like having the entire “happy path” documented in detail like this.
What do you think about this merging with the QuickStart in the main repo and becoming our primary “how to” doc? Steps with multiple variations could link to separate documents (e.g. the cognito stuff).
There was a problem hiding this comment.
As per our offline conversation: Optum/dce#159
|
|
||
|  | ||
|
|
||
| 1. Users in this group will be granted admin access to DCE. The group name must contain the term `Admin`. Choose a name and click on the `Create group` button. |
There was a problem hiding this comment.
must contain the term
Admin
@joshmarsh what's the story on this? Is this a mechanism of Cognito, or something we setup?
It just feels a little hacky
There was a problem hiding this comment.
This was set up a while ago after we discussed using Cognito User Pool Groups and IdP attributes as the two mechanisms by which we would assign admin/non-admin IAM roles to users.
I'm pretty sure it was intended as a "good enough" solution while we focused on getting auth working overall. We should definitely iterate on it.
|
|
||
| ``` | ||
| dce auth | ||
| ✔ Enter API Token: : █ |
There was a problem hiding this comment.
@joshmarsh what's going on with pasting into the terminal? Is it doing this for you, too?
docs/quickstart.md
Outdated
|
|
||
| 8. Use the `dce accounts add` command to add your child account to the "DCE Accounts Pool" | ||
| 1. Use the `dce accounts add` command to add your child account to the "DCE Accounts Pool". WARNING: This will delete any resources in the account. |
There was a problem hiding this comment.
Might want to pull this WARNING down to a new line, and make it bold
docs/quickstart.md
Outdated
| ] | ||
| ``` | ||
|
|
||
| 1. Notice that [we created a lease for a different user](https://github.com/Optum/dce/issues/137) than the one we are currently authenticated with (i.e. `jdoe99` != `quickstartuser`). If we try to login to this leased account, we will receive a permissions error since it is registered under a different user. |
There was a problem hiding this comment.
we created a lease for a different user
this is actually a bug in our system, that a user can create a lease for someone else.
I would avoid highlighting this bug in our docs.
joshmarsh
changed the title
joshmarsh
changed the title
docs/quickstart.md
Outdated
|
|
||
| ``` | ||
| # View your leased account credentials | ||
| 1. If we try to login to this leased account, we will receive a permissions error since it is registered under a different user (i.e. `jdoe99` != `quickstartuser`). |
There was a problem hiding this comment.
@joshmarsh I don't think we should be creating a lease for a different user at all. That's a bug in our system that you can do that, right?
| 1. Use the `dce accounts add` command to add your child account to the "DCE Accounts Pool". WARNING: This will delete any resources in the account. | ||
| 1. Use the `dce accounts add` command to add your child account to the "DCE Accounts Pool". | ||
|
|
||
| *WARNING: This will delete any resources in the account.* |
| | ----------- | ----------- | ----------- | ----------- | | ||
| | Deployment (`dce system deploy`) | Available | [Unavailable](https://github.com/Optum/dce-cli/issues/21) | | | ||
| | CLI Initialization (`dce init`) | Available | Available | | | ||
| | Authentication (`dce auth`) | Available | Available | [Unavailable on Firefox](https://github.com/Optum/dce/issues/166) | |
| } | ||
| ``` | ||
|
|
||
| dce leases create --budget-amount 100.0 --budget-currency USD --email [email protected] --principal-id quickstartuser |
Proposed changes
https://github.com/Optum/dce-cli/blob/feature/auth-quickstart/docs/quickstart.md
Types of changes
Checklist
README.md, inline comments, etc.)CHANGELOG.mdunder a## nextrelease, with a short summary of my changesRelevant Links
Backend PR for this functionality: Optum/dce#149
Issue: #33
Further comments