Chef Automate is the DevOps dashboard for Chef-managed infrastructure, compliance, and applications, with scalable data ingest for fleets of more than 100,000 nodes. Our large enterprise customers already use Chef Automate to provide actionable analytics and insights to hundreds of their teams. To enhance security of Chef Automate at scale, we’re adding role and project-scoped access control to IAM v2, the next major version of the IAM system in Chef Automate. We’re excited to announce the availability of IAM v2 Beta1—the first of two IAM v2 beta milestones—with support for IAM roles and enhanced IAM policies!
IAM v2 Beta1: Role-based access control
IAM v2 Beta1 builds on our existing LDAP and SAML integrations, introducing enhanced multi-statement IAM policies and role-based access control (RBAC) with a set of built-in IAM roles that simplify typical security configurations.
We provide several built-in IAM roles including: owner, editor, viewer, and ingest. IAM roles are a named list of actions that can be performed in Chef Automate. IAM roles can be used in an IAM policy statement to allow or deny access to the actions contained in an IAM role. The beta lets you manage IAM policy membership through the user interface in addition to the REST API, giving you control over who has access to what actions. As before, IAM policy members can include LDAP/SAML users and groups plus local users, teams, and API tokens.
Custom IAM roles are also supported via the REST API and can include over 130 individual IAM actions that we upgraded to support fine-grained access control and delegation of specific responsibilities.
IAM v2 Beta2: Project-scoped access control
The second stage of our IAM v2 beta adds IAM projects, which work in conjunction with IAM roles to provide role and project-scoped access control in Chef Automate.
IAM projects are collections of resources that have been created in Chef Automate or ingested from external data providers including Chef and Inspec. IAM projects are used in IAM policies to reduce the scope of permissions to the resources defined in an IAM project, for example, to allow the role of editor on project9, or to allow the role of viewer on project5. We’re also introducing a new project admin role to allow company-wide admins to delegate project management responsibilities easily.
Simple and easy-to-use at scale
The result we’re after is a simple and easy-to-use role and scope-based IAM system that also supports fine-grained access control and scales to 100,000+ nodes and 100s of projects. We’d love your feedback so please join the beta program and help us ensure it meets your needs!
To provide pre-release feedback on the new IAM projects functionality we’re currently building for IAM v2 Beta2, please contact your account team.