We would like to expand our Automation with AWS add-on family to Confluence, so similar to all other Utoolity AWS add-ons, we need the shared Identity Federation for AWS authentication component to ease reuse of the AWS authentication layer across potentially several AWS add-ons for Confluence (including yours - please don't hesitate to get in touch!).
What it does
Similar to all other Identity Federation for AWS add-ons, at its core the add-on provides "Temporary AWS credentials for your DevOps workflows" so that you can "grant users and add-ons fine-grained access to Amazon Web Services resources". On top of this the add-on uses the following integration points:
- an administrative AWS connector management component
- an AWS Management Console Login menu for Single Sign-On (SSO) with AWS
- an AWS Resources macro for deep links to services and resources with optional Single Sign-On (SSO)
- an AWS Resources blueprint as starting point for custom portals to AWS services and resources
- a REST API for temporary AWS credentials
Challenges we ran into
Confluence blueprints are an excellent concept for feature discovery and onboarding of users, but the API is a bit too limited for our taste and would greatly benefit from some upstream love to both make the implementation even easier and, more importantly, provide more usability and versatility for end users in turn.
What we learned
We learned how to implement Confluence macros and blueprints, and have come to appreciate that Confluence blueprints provide an excellent built-in feature discovery mechanism and a nice onboarding experience in turn.
What's next for Identity Federation for AWS (Confluence)
While providing value on its own, the primary motivation to build it has been its reuse for consuming add-ons, with 'Automation with AWS (Confluence)' being in the works already.
Regardless, we have grown quite fond of the ability to deep link to arbitrary AWS resources and want to expand the concept to AWS resource groups and the implied inversion of control: Rather than targeting individual resources (pets), this will allow to specify regions, resource types and tags and get a table of matching resources (cattle), similar to how the JIRA macro allows to either link to a single issue or two a collection of issues based on a filter.
Accordingly, we will also look into providing autoconvert on paste of individual resources or tag groups. An obvious related usability improvement would be the ability to convert any Amazon Resource Name (ARN) into an appropriate 'AWS Resources' macro.