Document toolboxDocument toolbox

AWS Identity and Access Management

Should we switch from IAM users to IAM federated (temporary) users?

Pros:

  • we won't have 50 bazillion stale users piling up in our IAM console view over time
  • if the credentials do slip out, they are useless after one day

Cons:

  • it doesn't save any work, still need to cache the credentials in crowd
  • adds a little bit of complexity in that we have to check the expires time on the cache to see whether we need to get new creds for the user
  • still need to handle same federated user, two stacks
  • this will likely exacerbate the propagation delay issue, because instead of hitting it once for all time, they could hit it once per day

Questions:

  • assuming the propagation delay issue remains
  • looks like the name length restriction may be too short for an email address