Yeah. I was thinking kind of like how it works in Prometheus where you can specify a label and query for it, etc. Like I said, a nice to have, but not a dealbreaker. We're just going to name the services appropriately for each environment, since we're planning to use it across multiple accounts.
I was putting together some changes to PR eventually once I'm done implementing Confidant. I noticed when you hit the app after being redirected from SAML and you're not on the whitelist, you just get an empty looking app. It looks like it aborts with a 403 in code, but no message pops up, and it also doesn't show the user's e-mail address at the top right.
Hello... me again. I'm trying to use confidant in a pod to pull some test credentials, and I'm getting the following error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:sts::xxxx:assumed-role/k8s-sbxxxx/botocore-session-1594743099 is not authorized to perform: iam:GetUser on resource: user botocore-session-1594743099
We're not using confidant to manage grants as we plan on using it across multiple accounts and trusting that other account to manage its IAM is acceptable, since we manage that too. I don't recall any documentation that says your service needs permissions to perform
iam:GetUser, so I'm just confused as to why I'm getting that error. I went on and allowed
iam:GetUser, and I now get:
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials
Am I doing something daft?