By Rajat Bhargava Posted May 14, 2014
A key problem that system administrators, IT ops, and DevOps folks have is creating and managing user accounts across their infrastructure. This is an area that we have spent a great deal of time on with our centralized user management capabilities. It is largely straightforward to useradd or userdel on Linux servers within your infrastructure or under your control. But, how do you create accounts automatically within third-party services? How do you trigger off of a useradd or userdel to execute tasks that are dependent upon these actions? You have your cloud infrastructure and can create accounts there, but you also use AWS RDS or Redshift. And you can’t auto create accounts within those services and on those servers. We’ve heard this specific challenge multiple times.
User Management AWS IAM Services
You might be thinking, well, just use AWS IAM and you’ll be all set if everything is in the cloud. First and foremost, IAM doesn’t let you control database users. It does allow you to control who can spin-up or configure RDS or Redshift instances. However, it can’t control database login access. Further, IAM doesn’t create specific users within your server instances. AWS does provide a default administrator ec2 account. However, it does not directly add and remove users through their web interface. Second, not all of your servers and services may be in AWS. So you may want to create user accounts on your servers hosted internally or at a collocation facility and then leverage third-party services, such as Amazon, Rackspace or SoftLayer. In short, AWS IAM isn’t a directory services replacement.
Automating Home Directory Creation
Taking some automated action based on a new user being added to your environment is critical. In fact, you may want to place “dot files” (login configuration files) on those servers where that user account has been created. Of course, it would be really nice if this could happen automatically and without manually executing those tasks. The benefit of that is you automatically set up the accounts that an individual needs in a timely fashion. It’s a reliable solution where actions occur based on user adds or deletes, you get solid auditing of everything that happens, and you save significant amounts of time manually creating accounts or manually running scripts to automate the process.
Automatically taking action after the creation or the removal of a user is an incredibly powerful result of embedding server orchestration and user management capabilities into the same server management solution. JumpCloud’s Directory-as-a-Service® platform enables you to manage your Linux SSH, Windows, and Mac user accounts through one central console. You can manage those users across your cloud instances, physical servers, and/or virtual instances, cloud or on-prem applications, and your WiFi access. JumpCloud® provides you with a central location to manage privileged access. When you have RDS or Redshift, or you would like to execute a follow-up task to a useradd/userdel, that’s where JumpCloud’s user management capabilities come in. JumpCloud also enables you to execute scripts or commands across your server infrastructure. These tasks can be executed ad hoc or scheduled. It’s a powerful set of choices to help you automate your infrastructure.
Consider the simple example of creating a database user on an RDS MySQL instance. As soon as you add a user to a special micro instance of a server in your cloud:
- Create a micro instance in a part of your cloud that has access to your RDS instance.
- Install the JumpCloud agent on the instance.
- Place your micro instance into its own tag, for example, “MySQL RDS Users”.
- Create a script that executes a “create user” query, followed by whatever access grants you want to apply for that user.
- Copy and paste that script into a JumpCloud command, and set it to launch upon user add event, against the “MySQL RDS Users” tag.
Now, any JumpCloud system user that you add to the “MySQL RDS Users” tag will be automatically added to your RDS MySQL instance. You could also easily create a script to run on user delete. That way, you could automatically remove users from your database when they’re removed from the “MySQL RDS Users” tag.
It’s quick and easy to do this as we’ve created all of the plumbing and infrastructure around it. Drop us a line if you are interested in learning more about our virtual identity provider – we’d be happy to walk you through how works and figure out if it can help you.