Hi, On Fri, Apr 05, 2019 at 12:21:25AM +0200, Bastian Blank wrote: > Hi folks > > We never filled the details for a possible user handling in AWS. I > therefor like to propose the following: > > - All user management/sync will be bundled into one AWS account. > - All user access to the publishing and engineering accounts will be via > assumed roles (we might switch to SAML if it makes sense). > - All "users" in the publishing and engineering acounts are automatic > processes, like our upload stuff. > > This means: > > In addition to the AWS billed publishing and engeneering account, we > will need a SPI owned account for the user handling. We will make sure > with appropriate settings that users can't produce charges in this > account.
Due to my life being otherwise busy I won't dive deeply into the ideal user management policy questions in this email, but I will comment solely on the bits relevant to the SPI President role and to the preferences of our partners at Amazon. Amazon requested that we use two accounts for the part they're paying for and putting under their organization: one account to publish the images, and a separate account for engineering work like running Debian archive mirrors. Both of these would still have SPI as legal owner, and any expenses which somehow get billed to SPI rather than Amazon would be accounted by SPI as Debian expenses. My understanding is that Amazon is okay for us to use the engineering account for any reasonable work targeted at building, testing, and supporting Debian AMIs in Amazon. This might make it okay for the user management work to live in that account, but I don't feel strongly about that. If Debian is planning to have an AWS account which would billed to SPI rather than Amazon for user management purposes, that's not inherently a problem; the usual requirement for DPL approval would exist so that any charges which flow through to the SPI debit card could be accounted as Debian expenses. And of course, someone involved with the Debian AWS administration would need to be paying attention to ensure the charges don't get exorbitant. - Jimmy Kaplowitz [email protected]
