docs: Breaking down Pipelines authentication concepts #2745
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests
Comment |
There was a problem hiding this comment.
The content of the docs is great, but one big surprise for me was that I was expecting more of a how-to, whereas these are written more like explanations (as those terms are defined in The 4 types of technical documentation).
I think our first priority is a how-to that specifically addresses how users can auth to AWS, Azure, or a custom provider. After all, that's what will enable users to install things, so I'd actually expect a new section under "Setup & Installation" called something like "Cloud", with each of AWS, Azure, and Custom listed there. Then maybe we re-word "Enable Auth for Pipelines" to "VCS/CI" and have one entry for each of GitHub and GitLab (or if you want to keep the scope of this PR contained, just to change the title and leave the content as is).
Would you be open to updating these to be how-to docs that focus on a step-by-step process users can follow to set up authentication? Then within those steps, perhaps we can link to explanation docs as needed.
For the explanation docs, I wonder if parts of them belong under a dedicated "Security" section in the Pipelines docs since they even include discussions on "Fundamentals of OIDC"?
| 2. **Apply least privilege** - Grant only the minimum permissions required | ||
| 3. **Rotate credentials regularly** - For long-lived credentials that cannot use OIDC | ||
| 4. **Monitor access logs** - Keep track of authentication events and access patterns | ||
| 5. **Isolate environments** - Isolate environments (dev, staging, prod) in separate containers (e.g. accounts, subscriptions, projects) to limit the impact of a breach |
There was a problem hiding this comment.
These are nice security practices, but we need more context. Are these best practices that the customer should do, or something Gruntwork has already baked in to Pipelines?
Alternatively, do we need this section at all in an overview page? Alternatively, maybe we should have a section called "Security principles" and write in slightly more depth about the steps we take to give customers a secure way to authenticate; not sure that's critical, though.
There was a problem hiding this comment.
Both! If it's not critical to you, I will defer any addition of more pages to a subsequent PR.
There was a problem hiding this comment.
I think the issue is that it's not clear what we want the reader to do with this information. Are we teaching them what security best practices we adopted, or giving them guidelines on how they should use Pipelines? Either way, we should be more explicit about what we want them to take away from reading this section.
I plan on doing that in a subsequent PR as I look to update the "Setup & Installation" and "Guides" sections of Pipelines docs, but this PR is focused on addressing the "Concepts" section, which is explicitly explanation docs. I'm going vertically down through the Pipelines docs, top-to-bottom and creating in-draft PRs for the functionality that we're introducing as part of the new authentication capabilities for Azure and Custom authentication. 
|
|
Ah, I see. If we're going to cover the how-to items soon, then, sure no issues with merging this. More generally, my primary concern is that the detailed explanations of Azure, AWS, and Custom auth implementations feel out of place at the beginning of the Pipelines section. I'd suggest restructuring to prioritize what users need first: Key concepts - limit to fundamental concepts users need to understand how to use Pipelines This gives users the essential information upfront, with implementation details available for those who need them. The current structure jumps into advanced technical details before establishing the fundamentals. |
yhakbar
force-pushed
the
yousif/dev-1088-break-down-authenticating-to-the-cloud-to-avoid-assuming-aws
branch
from
4ac9639 to
ce4a816
Compare
Co-authored-by: Josh Padnick <[email protected]>
Co-authored-by: Josh Padnick <[email protected]>
yhakbar
force-pushed
the
yousif/dev-1088-break-down-authenticating-to-the-cloud-to-avoid-assuming-aws
branch
from
ce4a816 to
99522a4
Compare
Breaking down Pipelines authentication concepts so that they aren't assuming AWS only.