ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Configuration

Dynamic Configuration

PreviousMetricsNextAWS Resource Syncing

Last updated 3 years ago

Was this helpful?

ConsoleMe's dynamic configuration endpoint ([https://your-consoleme-url/config](https://your-consoleme-url/config%29) allows administrators to make changes that will be loaded by all running ConsoleMe instances and Celery hosts in up to 60 seconds.

This configuration is stored as a compressed yaml file in DynamoDB. It is versioned, and tagged by the user who updated it last, when it was last updated, and a compressed form of the configuration.

The namespace of ConsoleMe's dynamic configuration is different than the static configurations (examples of the static configuration are ). This ensures that you won't accidentally overwrite configuration that is critical for ConsoleMe to operate properly. To load dynamic configuration, code must explicitly request attributes in the dynamic_config namespace. Examples are .

ConsoleMe uses dynamic configuration to store the following:

  • In addition to using role tags, you can authorize a user or groups to access a role in Dynamic configuration. The code that processes this is defined . An example configuration is below

group_mapping:
  groupA@example.com
    cli_only_roles:
      - 'arn:aws:iam::123456789012:role/role1InstanceProfile'
    roles:
      - 'arn:aws:iam::123456789012:role/role2'
  userb@example.com:
    cli_only_roles:
      - 'arn:aws:iam::123456789012:role/role2'
      ....
  • In addition to using role tags, you can authorize a user or groups to access a role in Dynamic configuration. The code that processes this is defined . An example configuration is below

group_mapping:
  groupA@example.com
    cli_only_roles:
      - 'arn:aws:iam::123456789012:role/role1InstanceProfile'
    roles:
      - 'arn:aws:iam::123456789012:role/role2'
  userb@example.com:
    cli_only_roles:
      - 'arn:aws:iam::123456789012:role/role2'
      ....
  • We store IAM inline policy permission templates in dynamic configuration. This is where you can add templates that fit your organization's needs, and it will show up in the dropdown menu for the inline policy editor. Here's an example of how you can add templates to your dynamic config:

permission_templates:
    -   key: default
        text: Default Template
        value: |-
            {
                "Statement":[
                    {
                        "Action":[
                            ""
                        ],
                        "Effect":"Allow",
                        "Resource": [
                            ""
                        ]
                    }
                ],
                "Version":"2012-10-17"
            }
    -   key: s3write
        text: S3 Write Access
        value: |-
            {
                "Statement":[
                    {
                        "Action":[
                            "s3:ListBucket",
                            "s3:GetObject",
                            "s3:PutObject",
                            "s3:DeleteObject"
                        ],
                        "Effect":"Allow",
                        "Resource":[
                            "arn:aws:s3:::BUCKET_NAME",
                            "arn:aws:s3:::BUCKET_NAME/OPTIONAL_PREFIX/*"
                        ],
                        "Sid":"s3readwrite"
                    }
                ]
            }
...
here
here
here
here