Profile picture
, 10 tweets, 3 min read
My Authors
Read all threads
Extra excited about this now. sso:GetRoleCredentials takes account and role name parameters (weird that it's not a role ARN but whatever). This looks to me like the client is in control of what IAM principal the user will become. This is a good thing! ⏬1/9
A great enabling capability for an org is creating single page apps w/ serverless backends, and now with these APIs in JS those apps can use SSO. One of the difficulties with these apps is that there may be many copies of a given app, for dev or just in many different accts 2/9
You should be able to stand up a copy of an app, go to its front page, and log in with SSO. But most SSO flows assume well-known URLs that you give to the SSO system. But with these AWS SSO APIs/Device Flow, that's no longer a problem. 3/9
An instance of the app registers as a client, with some auto-generated client name (the CLI does this too, "botocore"+timestamp). It doesn't need a well-known destination because it's polling for the token with its client name. OK, on to IAM: 4/9
An app is going to have some set of IAM roles it has defined for access to its backend. But a user will have access to many roles. So how does the user get the right role for what they are doing? 5/9
With the current sts:ASsumeRoleWithSAML flow, there's a big role and account selection page, and the user has to know which is relevant to the work they are doing, which isn't obvious if you're just starting from a web page you've visited. 6/9
So now, the client gets to tell SSO which role to assume in GetRoleCredentials. The auth flow the user sees is only about authentication, not role selection. If there are multiple roles to choose from, the client gets to prompt the user to chose, within that app's design. 7/9
Obviously the user has to have permissions to assume the role, but that's managed outside this auth flow. If there's multiple roles, I don't see a clear way for the app to know which to list based on permissions, but that's probably ok? 8/9
I guess the next step is to get support for this SSO auth in Amplify, so the creation of these apps can be that much easier. The ability to easily create management consoles for your cloud systems, and to get web devs empowered to create internal apps is huge. cc @undef_obj 9/9
An #awswishlist is for a new API method sso:ListRolesForToken, so a client with a token can narrow the options to present to a user. It would be ok if the API took a list of roles and returned which ones the token has access to (rather than enumerating all possible roles)
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Ben Kehoe

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#awswishlist

More from @ben11kehoe see all

Profile picture
Ben Kehoe
@ben11kehoe
The future of #serverless is not stateful compute. It's computeful state.
Instead of trying to shoehorn statefulness into our current stateless compute models, we should be thinking about how to bring our code closer to our data. Lambda with EBS attached is bad. Paradigms more like handing code directly to S3 to run on all your objects.
People saying “this is just stored procedures” are like the people saying “Lambda is just cgi-bin”. Sure, superficially they’ve got the same model, but the details result in very different characteristics.
Read 3 tweets
Profile picture
Ben Kehoe
@ben11kehoe
One of @awscloud's biggest weaknesses is that while product teams strive to create great experiences for their services, AWS users have to use many teams' services and there's very little accountability for the cross-AWS-team experience.
AWS is the best in the world at creating autonomous teams. We’re asking AWS to figure out how to scale their customer obsession in a way that cross-team feedback is appropriately prioritized.
We’re glad docs are in GitHub, but we want PRs to get addressed faster. We shouldn’t have to go to 90 individual teams to beg them to do that! There should be customer advocates at AWS that see what we see, and are empowered to help make it happen
Read 6 tweets
Profile picture
Ben Kehoe
@ben11kehoe
Statelessness is not the critical property of #serverless compute, it's ephemerality. Being positively limited in duration means the provider can *transparently* manage the platform, no scheduled (or unscheduled, in Fargate's case) downtime needed.
Currently, most serverless compute is time-limited, run in response to fixed-size(-ish) events. But finite-input-limited compute is possible; this is AWS Batch's model.
Several acadamic papers, including the recent one from Berkeley, have equated serverless with existing FaaS models and complained of its inapplicability to big data processing. I think this is a failure of imagination.
Read 5 tweets

Related threads

Profile picture
Phoebe Kong 江穎怡
@phoebe_kongwy
#NOW #PolyUniversity - @hkpoliceforce urges protesters to surrender or they will arrest them by force including LETHAL FORCE. Police warns protesters "Time is running out" as they have been tolerated by the society for long. #HongKongProstests #HongKong #HongKongPolice
Meanwhile on telegram channel, #PolyU protesters vow to defend the campus until the very end - probably the last university stronghold - because they think it'll be almost impossible to reenter the campus if they retreat, which makes it harder to block cross harbour tunnel again.
#BREAKING #PolyU: @hkpoliceforce's armored trucks approached protesters and burning objects. One of them was then set ablaze by Molotov cocktails thrown by protesters. Literally frightening though it shall be put off very soon after it retreated. #HongKongProtests #HongKong
Read 12 tweets
Profile picture
Xinqi Su
@XinqiSu
#NOW in Tsim Sha Tsui, umbrella-holding protesters have occupied Salisbury Rd and walked into Nathan Road. Not a huge crowd but many are waiting along roads from TST pier.
Cantonese is difficult but not too difficult
@ Nathan Rd, Tsim Sha Tsui
Hold it tight when storm looms - protesting couples in #AntiMaskBan march in Tsim Sha Tsui.
Chan Ka-ming, a pro-democracy district council candidate, is chanting slogan at a TST station exit on Nathan Rd.
Read 34 tweets
Profile picture
Xinqi Su
@XinqiSu
#NOW in Causeway Bay, a small crowd, including members of the yellow-vest Guard The Children group, are standing in shade outside Sogo. Quite a number of reporters waiting nearby, for a march that's uncertain whether will take place.
While #CarrieLam televised her vid speech, protesters filled East Point Rd in Causeway Bay, many defying #MaskBan
#NOW protesters took to westbound lanes of Hennessy Rd in Causeway Bay
Read 12 tweets
Profile picture
Xinqi Su
@XinqiSu
#NOW in Tsim Sha Tsui , people are forming human chain that is set to extend along Nathan Road towards Jordan
Hold hands with @pepe , the spirit animal of #HongKongProtests , is the theme of tonight's human chain from Tsim Sha Tsui to Prince Edward Station.
Pepe in human chain : one with a broken but still illuminating heart, black bloc pepe, big pepe, hand drawn pepe.
Read 8 tweets
Profile picture
Michael McKenzie
@SegaJunkie
To celebrate the impending 10th anniversary of @GamesDoneQuick , I've taken the liberty of compiling a list of 100 of the best runs showcased throughout its history. I'll be adding one run to this thread every day until the 1st of January, which marks ten years to the day.
Some caveats:
* No, these aren't literally the best 100 runs. How do you even measure that? But they're all runs I think leave their impact on the event's history.
* Obviously I haven't picked any of my own runs - but there are some I commentated on, and felt privileged to do so.
* I've got at least one run in here from all 20 live events to date - CGDQ, all 9 editions of AGDQ and SGDQ, and last year's GDQx. No JRDQ or HRDQ, sorry!

Also I won't be adding anything from the upcoming GDQx, which is this weekend, but you obviously should watch that anyway!
Read 434 tweets
Profile picture
Coder4Liberty
@Coder4Liberty
Now that the Mueller report is out, there should be some clarification as to what it says about "hacking".
@tracybeanz
@RamsesGoat
@drawandstrike
@dekdarion
@realhublife
@dbongino
#MAGA
1) As a professional in the IT field, I find the information coupled with the conclusions in the report about this facet of the investigation to be woefully wrong. In this thread I'll go over it.
2) The word "appears" shows up many times in the sections referencing Russian cyber activity. The way it shows up doesn't show much confidence. No evidence or even a basic summary of the evidence for Russian "hacking" is ever provided.
Read 33 tweets

Trending hashtags

#NotreDame #FLAG #ReformaCuria #SQS #takes #PeñaParra #C6 #AntiMaskBan #S3 #Suecia #RodríguezMaradiaga #présidentielle2017 #ChristianPfeiffer #PolyUniversity #PederastiaEclesiástica #Whatever #PietroParolin #SNS #Enjoy #AsiaBibi #PR #NiUnaMás #McCarrick #taekook #KiriBaku
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!