I would burn so many gpus and do many questionable things if it got me the ability to throw a magic wand at a fuck cluster of terraform and tighten up / debug all of the AWS iam bullshit going on in there.
Sincerely,
Has now spent two days trying to debug EKS + KMS interactions
Peak Infrastructure Brain Rot is having to dig through dozens of posts, articles, hundreds of pages of documentation, only to find the one single line buried in the middle of a help article:
"The grant must be created in the account where the autoscaling group is, not where the key lives"
Ughhhh. So infuriating. I get it, there's nothing you can do to solve the problem in all generality, but for FUCK'S sake
@hazelweakly Do you share the impression that this is getting worse? All those folks copying eachother’s stuff to get a few extra eyeballs on their ads? You have to wade through dozens of pages to find that one blog that delivers something helpful 😬
@sandorspruit A significant amount of the duplicate and spread out documentation is actually all around the official documentation in AWS itself. So it's not even that they're necessarily trying to get More views!
I empathize that it's an incredibly nuanced and difficult conversation to have and everyone's going to have different trade-offs, so it's really hard to make universal documentation for this
But the lack of tooling to even attempt to solve the problem bugs me deeply 😅
Forget distributed tracing for microservices, I need distributed tracing + a service graph for IAM
And on top of that: a helpful button in Cloud Trail where I can click on a event with a permission denied error code and have it just spit out what's required to grant access for that event
If you combined that with a nice little visual graph and a way to dump out CLI commands or cloudformation? It'd be game changing
Or, y'know, you can build an AI chatbot bullshit and be useless about it
@hazelweakly Strongest of agreement…I would pay for the CloudTrail -> IAM POLA statement button. So many AWS blog posts use overly broad scopes (* is not a policy, it's a bypass) while others rightly point to how important it is to design for security.
@clementd of course once you do biscuits one must naturally go all the way into doing macaroons because even though biscuits are cool, macaroons are even cooler
Who doesn't want their API to secretly be a prolog interpreter?
@clementd oh fun! I've only seen articles on both and I've always wanted to play with them (or try them out for real), I just haven't had an opportunity present itself yet
Macaroons are fine if a shared secret scheme is ok, but you have to build quite a bit on top of it (caveat parsing, revocation, etc). They're definitely less complex than macaroons, even though you still have to build part of this complexity yourself.
@hazelweakly I need to think/ rubber duck this more but this feels doable. I would wish for aws’ internal resolution to help, but a naive suggester may not be so bad. Id want to import all the action/principal/resource/conditions (from the docs?) but it could use get/describe to even suggest plausible updates.
@mpuckett259 I understand it enough to be dangerous, but I don't understand it enough to look at a completely generic error message and instantly mentally drill down through 8 Layers of abstraction to know what is actually happening
@hazelweakly doesn't help when it's likely gonna require following multiple jumps between disparate repos that don't have any obvious links between each other.
Add comment