posix_monad on Hacker News

Ask HN: How do you approach service-to-service authentication?

Services often need to talk to each-other, but how should they control access?

In an ideal world, callers can prove who they are to services and services only grant access to a minimal set of consumers. There should be low boiler-plate for maintaining service identities and things like token revocation, secret rotation, etc. should be "easy". Bonus points for avoiding vendor lock-in.

What approach do you use for securing service-to-service access?

1posix_monad1y ago4

Ask HN: How do you give developers database access?

We want to keep our databases secure, but sometimes developers need access (think migrations, debugging, business information queries).

Ideally, database access is:

- Connected to existing developer authentication (single sign-on)

- Time limited

- Requires approval

- Leaves an audit trail

How do you achieve these conflicting goals?

Some approaches:

- Put the database in a public subnet and give developers database credentials. This is strongly discouraged by AWS etc (why?). No audit trail or approvals process.

- Put the database in a private subnet with a VPN in a public subnet. Give developers database credentials. This requires credential management for the VPN and you need to pay for an additional server. Access is not time limited. No audit trail or approvals process.

- Something else... ?

3posix_monad2y ago0

Ask HN: How do you approach service-to-service authentication?

Services often need to talk to each-other, but how should they control access?

What approach do you use for securing service-to-service access?

1posix_monad1y ago4

Ask HN: How do you give developers database access?

We want to keep our databases secure, but sometimes developers need access (think migrations, debugging, business information queries).

Ideally, database access is:

- Connected to existing developer authentication (single sign-on)

- Time limited

- Requires approval

- Leaves an audit trail

How do you achieve these conflicting goals?

Some approaches:

- Put the database in a public subnet and give developers database credentials. This is strongly discouraged by AWS etc (why?). No audit trail or approvals process.

- Something else... ?

3posix_monad2y ago0

posix_monad

Recent submissions

WebCrawler – search engine operating for 30 years (opens in new tab)

Ask HN: How do you approach service-to-service authentication?

Economic impacts of mortgage credit expansion policies (opens in new tab)

Brown's golden shot was not the miss his critics would have you believe (2015) (opens in new tab)

UK's Right-Wing Reform Party Floats Overhaul of BOE's QE Program (opens in new tab)

Static single assignment for functional programmers (2011) (opens in new tab)

Ask HN: How do you give developers database access?

What Have Fourteen Years of Conservative Rule Done to Britain? (opens in new tab)

Recent submissions

WebCrawler – search engine operating for 30 years (opens in new tab)

Ask HN: How do you approach service-to-service authentication?

Economic impacts of mortgage credit expansion policies (opens in new tab)

Brown's golden shot was not the miss his critics would have you believe (2015) (opens in new tab)

UK's Right-Wing Reform Party Floats Overhaul of BOE's QE Program (opens in new tab)

Static single assignment for functional programmers (2011) (opens in new tab)

Ask HN: How do you give developers database access?

What Have Fourteen Years of Conservative Rule Done to Britain? (opens in new tab)