docs: Basic docs for Identity Center Resource Access Requests #50977
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Amplify deployment status
|
smallinsky
reviewed
Jan 14, 2025
Comment on lines
+176
to
+191
| ## Background: Account Assignments | ||
|
|
||
| The main resource that the Teleport Identity Center integration manages is the | ||
| *Account Assignment*. | ||
|
|
||
| An Account Assignment is the combination of a specific Permission Set on a specific | ||
| AWS account - for example "*AdminAccess on Production*" (where *Production* is | ||
| an AWS account managed by Identity Center). | ||
|
|
||
| When a user has access to an Account Assignment in Teleport, that access is | ||
| mirrored in AWS Identity Center. When a teleport user loses access to an Account | ||
| Assignment in Teleport, that access is similarly deleted in AWS. | ||
|
|
||
| Access to Account Assignments can be granted via Teleport Roles, either directly | ||
| to Users or through Access Lists, or by Account Assignment resources included in | ||
| an approved Access Request. |
There was a problem hiding this comment.
It is a bit hard to grasp the Account Assignments concept without introducing concept of yaml account assignment object that is mentioned later: https://github.com/gravitational/teleport/pull/50977/files#diff-fb2062905f79b4f115956784c5dff3435d4e742630bdca6acd0d2a68abc1e996L249
| ## Usage scenarios | ||
|
|
||
| Let's take a look at some common usage scenarios enabled by the Identity Center | ||
| integration. | ||
|
|
||
| ### Just-In-Time Access with resource Access Requests |
There was a problem hiding this comment.
Right now the section ordering looks like below:
- Just-In-Time Access with resource Access Requests
- Managing access with Access Lists
- Just-in-time access with role Access Requests
- Long-term access with Access Requests
Can we group and sort based on the usage scenarios:
- Just-In-Time Access with resource Access Requests
- Access Request
- Just-in-time access with role Access Requests
- Long-term access with Access Requests
- Long-term access with Access Requests
| assigned to the corresponding AWS Identity Center group during the integration | ||
| setup. | ||
|
|
||
| These Teleport-generated roles each represent a single Account Assignment, and |
There was a problem hiding this comment.
I think that we have replaced permission-set-name>-on--on--aws-coount-id to prevent collisions between account names
ptgott
reviewed
Jan 14, 2025
| @@ -182,11 +173,60 @@ Clicking the "Log In" button for this app takes you to your Identity Center | |||
| SSO start page which you can use to pick a role and connect to your AWS account | |||
| as usual. | |||
|
|
|||
| ## Background: Account Assignments | |||
There was a problem hiding this comment.
I think it would make sense to incorporate this into "How it works", since it's architectural background that a reader can keep in mind while they continue through the setup steps.
Comment on lines
+186
to
+191
| mirrored in AWS Identity Center. When a teleport user loses access to an Account | ||
| Assignment in Teleport, that access is similarly deleted in AWS. | ||
|
|
||
| Access to Account Assignments can be granted via Teleport Roles, either directly | ||
| to Users or through Access Lists, or by Account Assignment resources included in | ||
| an approved Access Request. |
There was a problem hiding this comment.
Suggested change
| mirrored in AWS Identity Center. When a teleport user loses access to an Account | |
| Assignment in Teleport, that access is similarly deleted in AWS. | |
| Access to Account Assignments can be granted via Teleport Roles, either directly | |
| to Users or through Access Lists, or by Account Assignment resources included in | |
| an approved Access Request. | |
| mirrored in AWS Identity Center. When a Teleport user loses access to an Account | |
| Assignment in Teleport, that access is similarly deleted in AWS. | |
| Access to Account Assignments can be granted via Teleport roles, either directly | |
| to users or through Access Lists, or by Account Assignment resources included in | |
| an approved Access Request. |
Capitalization tweaks
| ## Usage scenarios | ||
|
|
||
| Let's take a look at some common usage scenarios enabled by the Identity Center | ||
| integration. | ||
|
|
||
| ### Just-In-Time Access with resource Access Requests |
There was a problem hiding this comment.
Suggested change
| ### Just-In-Time Access with resource Access Requests | |
| ### Just-in-time access with resource Access Requests |
Capitalization
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.