Do you have bots in your stack?
How do you assign permissions to a bot?
Bots in the context of your cloud ops
I’ll explain, let’s say you use Jenkins for your CI/CD pipelines, how does Jenkins clone new code from the code repository?
Or how does your Slack channel receives alerts from an app?
Sometimes you need bots in your stack but here’s the challenge, what permissions does a bot gets?
Let’s start with naming your bot
A good practice is to name the bot as what it’s supposed to do, for example:
- bot-jenkins
- bot-slack
- bot-s3-read-only
- etc..
you get the point, start the naming with bot so other people won’t confuse it with other users.
What about naming policies?
I set the same naming for permissions and policies, it’s very easy to manage something that you know what it is and what it does by it’s name
Keys or Roles?
I prefer using Roles, it’s better than just putting a secret somewhere not knowing who use it
but there might be a situation where you’ll need to use keys, for example if you need to rsync files from a remote server on a different cloud vendor than Roles is not an option, just make sure those keys have the exact permissions it needs for the task
Once the task is done deactivate the keys
Summary
Bots are part of your stack so add the exact permissions for the specific task