LaunchPartyto save 25% off of the base price!
Ebbflow's IAM system is simple. It uses role-based access control to determine which authenticated identites can take which actions. There are some simple concepts involved:
Policies are applied to either Roles or Identities. For an identity to take an action, it must have policies that expressly allow the action to take place on the targeted resource, AND there must not be any policies applied that forbid the action from being taken.
hosting::HostEndpointthe Endpoint resource
hosting::HostSshTargetthe SSH target resource
ssh::SshToTargetthe SSH target resource
Policies are what dictate what actions can be taken by identities, on resources. For example, a Host Key identity may try to take the action of
hosting:HostEndpoint on resource
ern:ebb:hosting:ACCTID:endpoint/example.com. For this to be allowed, there must be a policy that allows this, and no policy that denies it.
Ebbflow provides Managed Policies that you can attach to your identities and roles. These typically provide general permissions for you to get started with. You can view these policies in the IAM console.
Policies are written in
.yaml and have three components:
Deny) Does this policy grant the action on the resource, or deny it?
Write, and you can specify this general classification in your policies
In Ebbflow, the following actions exist, and have corresponding resources
||Write||The act of hosting an endpoint. The ebbflow client does this for its configured endpoints. This appleis to Host Key identities.||The
||Write||The act of hosting an SSH target of the hostname
||Write||SSH to a target host. This applies to SSH Key identities.
Currently, there is no API interface for Ebbflow and therefore only these actions exist.
--- effect: Allow action: hosting:HostEndpoint resource: ern:ebb:hosting:ACCOUNTID:endpoint/example.com
--- effect: Deny action: hosting:HostSshTarget resource: "*"
NOTE: As of now, there are no
Read APIs, but they may be added in the future
--- effect: Allow action: Read resource: "*"
--- effect: Deny action: Write resource: "*"
Identities have types, and as of now, there are two: Host Keys and SSH Keys. Host keys are used by the client to authenticate with Ebbflow, and are used for actions such as
SSH keys are uploaded by you. When you use Ebbflow as an SSH proxy, we authenticate your key, and then check that you have policies allowing you to take the action of
ssh:SshToTarget on the target host, for example
Host keys are provisioned by using the
ebbflow init command, or they can be created in the IAM Console, and then later provided to the client by executing
ebbflow init -n with the
EBB_KEY environment variable set. Please look at client documentation for more information on that.