I need to update access keys for some AWS users that have been created by Qovery.
The user names start with qovery-aws-iam-eks-user-mapper-, qovery-clustauto-, and qovery-logs-.
How can I edit the access keys for these users ?
Thanks
Hi @Antoine_Prudhomme ,
Today there is no way to update them, and as soon it’s “service accounts” it’s not a big deal. It’s planned to move to roles to avoid this issue and make it more secure, but no ETA yet.
How critical is this issue for you?
Thanks
Hello Pierre. We also have a security requirement to do this exact thing. We have about 30 days before it becomes an issue.
Ok, we’ll take a look then asap.
Hi Colin, Cc @a_carrano
Hi @colin ,
FYI we have already started to work on it, you should see in the coming days IAM users moving to roles. We’ll keep you updated once everything will be done.
Pierre
Hi @Antoine_Prudhomme and @colin ,
The migration is almost over, we keep it running for some days to be sure everything is fine, and we’ll remove IAM users
Pierre
Hi Pierre,
I’m still seeing the IAM users and they still appear to be active. Have they not been removed yet?
Hi Colin,
Yes it’s normal until all our customers have not yet moved to the new model with roles. Once all cluster will be updated, then all users will be removed. This should be done in the coming days.
Pierre
Hello Pierre.
I noticed that most of the users have stopped being used, however there is still one user that appears to be active even after the upgrade: qovery-aws-iam-eks-user-mapper-{clusterid}.
Additionally, what is the recommended way to handle the other users. Is it safe to deactivate their access keys? Delete the users altogether?
Hi Colin,
The problem we have with this last one is that this open-source project we used to make the sync doesn’t support roles. We’re currently building a fresh one made by Qovery and will release it in July to definitively remove this last user. @Enzo is on it, I let him provide an update in July.
All other users will be automatically removed. Please do not delete them manually. In July, everything will be completely merged, and only roles will be used.
It took a little bit more time than expected; sorry for that.
Pierre
Hi Colin,
Tomorrow, I’ll make a release where all users but aws-iam-user-mapper will be removed. As I mentioned above, this last part takes time and should be released by the end of july. So tomorrow, if you try to redeploy your cluster, you’ll see 3 users removed as we already moved them to roles.
Pierre
Hi @colin !
Just to let you now I am starting to work on the last part being aws-iam-user-mapper
. I will give you updates here ASAP.
Cheers
Hi @colin !
FYI we are very close to ship the missing piece to remove the last qovery user. Solution is currently under tests on our end and should land anytime soon (this week hopefully ).
Cheers
Any updates? I’m still seeing the users in AWS.
Hello @colin,
Everything is ready on our side but we still need to perform couple tests to make sure everything is fine.
I am off this week and plan to release it on the 10th.
We can try to release on one of your cluster first if you want to test drive it (we will monitor it of course).
If so just let me know the I’d of your cluster.
Cheers,
Hey @colin & @Antoine_Prudhomme,
Just to let you know the last user aka aws-iam-user-mapper
has been removed in the current version. You can trigger a cluster update which will deploy latest version and remove this user.
I can do it for you as well if you just give me your clusters IDs.
Cheers,
Benjamin
Hey Benjamin! Just tested it out on our dev cluster and it worked. Thanks for getting this update in!
-Colin