When your infrastructure grows, and there are many employees from different teams needing access to specific database permissions, it becomes a bit challenging to ensure that this process is being done smoothly and that everyone is getting the permissions they need on time.
At Anghami, we have many databases, and since the number of staff is growing, it’s a bit challenging to keep track of all the users’ permissions and make sure everyone has the right ones.
From our infrastructure perspective, we use AWS Cloud, and for databases, we use RDS.
And since GitOps is our go-to approach for any DevOps requirement, we need to create the database permissions process as smooth as possible.
To tackle this, we use AWS IAM database authentication internally, which helps us easily grant IAM users the database permissions they need. To combine our GitOps approach, we use Terraform to authorize our users to access all our databases without using any passwords. Everything is based on their AWS token and the permissions we grant them.
For example, let’s say a user wants to have READ and UPDATE access to a single database inside RDS, and to a specific table. We provide a YAML file inside Terraform, which we then convert to the required permissions, using several modules and infrastructure as code best practices.
Here is a flow diagram to understand better how the process is being done.
Benefits
Here are some of the benefits of implementing this approach for user database authorization:
- Helps you have a clear vision of all user permissions.
- Developers can open PRs (GitOps) for the permissions they need, and the admin can easily accept or reject them.
- Users can have more specific access to a certain database and table.
- You can easily implement the same permissions to any database by applying just one YAML file.
- Users don’t need to save any passwords or manage credentials.
Finally, combining GitOps approaches with IAM database authentication helped us to make the permissions process faster, smoother, and more transparent between the teams, thus improving our daily DevOps tasks.
