Provisioning a single Resource to a student without seeing each other. - Kahuna915/Capstone-Cloud-Integration GitHub Wiki
- During design 1 I tried to figure this out but didn't seem possible with EC2.
- You can do it for certain applications like S3, creating a bucket folder and tag that to the user.
- After discussing it with the client he thought it best to use IAM and so I began investigating again. This section I will break down what I tried and why it failed.
- First I created a IAM user Charlie and attached a permission set I created:
- This set should only give Charlie access to see everything, but only start and stop instances that are associated with user Charlie
- I then created an Instance on my account to confirm Charlie could see it:
- I then tried to terminate the instance as Charlie, which isn't allowed...
- With this logic I began trying to use charlie on the describe instances. Which in theory should only allow charlie to see things attached to himself.
- Which seemed to worked but....
- Now Charlie needs full EC2 access to his resource. But anytime you try this it fails because ec2 doesn't support specific resources.
- **Now I will try using tags per specific resource**
- When trying to give full ec2 access you'll get 50 warnings asking for you to specify a resource:
- There is also setting a specific request condition which I tried in the past with AWS username which failed:
- I went through and assigned the resources to Charlie's specific arn
- I then tested and keep in mind Charlie should now have full access to everything but seeing everybody's items.
- Which immediately failed
- This was an expansion onto Demo 1. The problem arose and according to multiple resources they say it is not possible to do what I am trying to do. The client has said to start looking into Organizational users. Which I will look at more closely. I have had two phone calls with AWS and they both said that IAM doesn't work that way so its not possible. They told me its role based so say I have Tanner Alex and Noah. Tanner and Alex are in a 8 am class but I am in a 2 pm class. At the start of that 8 am class the professor would attach a role to their IAM account giving them access to that resource for that class period. Tanner and Alex would be able to see each others work within that class. Then after the professor would remove the role and assign Noah that role. Which then allows Noah at 2pm to do the lab. Then the professor has to unassigned it. Obviously this would be allot of moving parts for the professor and would be unreasonably and efficient to use.
After no success I pulled in my teammates and we were going to look at propagated billing and full service accounts/organizational users. We also will be getting access to paid resources which we believe could be a setting within a paid feature.
Update 2/15
- Found a security policy that was limiting our ability to separate users. We also found out we can separate users based on region level access.