As dedicated and learned Aiven users, you surely know about our Accounts and Teams features to manage users spread out between projects and/or departments. What you may not know is one deceptively simple way that you can use Aiven accounts to manage a team.
If you have a Sales or Marketing background then you likely already know about the concept of
Shared Inboxes, but they are not so common among professions that are not customer-facing.
You have a team that is scaling up their Aiven usage and passing around the API token you created when you started your trial is no longer sufficient. Not a problem, all developers can (and should) create their own tokens. Still a problem: what about your automated builds and deploys? What about your Terraform scripts?
From startup to SME to Corporate Monolith, it is likely you are not using mailinabox to handle your company emails. So, let's go through this example with G Suite for Business.
Aiven has support for Accounts and Teams (which you may already be using); this functionality gives you the flexibility to structure your access in ways that best fit your organisation. In this possible solution, we will have an
Account for each department
BI) within Aiven and then
Projects within those.
In the Backend team, Travis CI is used to run the builds of their code and Terraform is used to deploy. Before this stage of enlightenment, they had been using Jan's Aiven API token. But Fred created a test project that Jan was not granted access to; which led to all builds failing and deployment to Fred's Dev environment being rejected.
In an emergency meeting, they decided they needed to create a new Aiven account without a person attached to it. They already used email@example.com as an internal shared inbox for all those in the Backend team, so they created an Aiven account with this email.
In your Google Admin Console, you will see a section called
Groups. In here you (or an Admin) can create a new Group for your user and add the users in your organisation to it.
2. Invite Your User
Within the Aiven Console, we would go to our Backend Account and then to the Team called
Account Owners. This Team has admin rights over all projects within the Account so access will not be a problem.
N.B. Your Service User could be added as an Administrator of a single Project or in a new Team that has access to a subset of Projects; you can configure this as you like.
Both Fred and Jan have access to this shared email, so they can confirm the invite, set a password and then create tokens for use with the tools within their development pipeline.
Tip: This should be a one-to-one mapping. One token should be used for one tool/service and the token should be deleted as soon as that tool is no longer in use.
In the Web Console, we can do create tokens by navigating to the user profile (the User icon in the top right) and then to "Authentication".
You are ready now, Ecocorp can configure their Travis jobs to use the new token and their pipeline is separated from a single user account; which means Jan can take a vacation without fearing an email about failed jobs or bad access rights.
We should point out that, while this is a useful solution, it does introduce its own security risks (such as multiple people having access to a single account, it is not so easy to maintain an audit log of who is responsible for certain actions) and these should be considered before choosing this approach.
Have you implemented this functionality in a different way? Perhaps you are using your SAML integration instead of a shared inbox? We would love to hear how you are using Aiven so drop us an email for a chat!
For more support articles please see our Support page or contact us at firstname.lastname@example.org