Creating additional users
After we're finished with bootstrapping, we'll want to let other people play with Astra and manipulate our infrastructure as well. We're already well primed for this; in our initial bootstrapping step we've set up our AWS SSO and now we can just add users and they'll automatically have access to our infra based on the roles we give them.
Let's explore the `astra user` command
We can type in astra user create --help to see how the command should be used.
~|⇒ astra user create --help
Create a new user and assign them into roles.
...
1. Move to your Terraform directory
In our bootstrapping step we defined a specific directory we would use for our Terraform files. We'll first need to navigate to that directory in order to run the user creation process. This is because, all users and their settings are written to Terraform, making it easy to update them or delete them.
cd ~/Code/Terraform
2. Decide what access we want the user to have
Astra uses AWS SSO to manage users and permissions via roles. These roles are distributed to particular accounts and only grant access to particular things within that account.
The role everyone gets by default is read-only which allows users to have read access to everything in
production, staging, or development base accounts.
All other roles need to be passed to the astra user create command in order for the user to have the appropriate
permissions for a particular account.
Here is a breakdown of the roles you receive out of the box with Astra:
| Role | Accounts |
|---|---|
| global_admin | all |
| read_only | all |
| production_admin | production |
| staging_admin | staging |
| development_admin | development |
The other global role that works on every account is the global_admin role. Only a few trusted users should have
the global_admin role as it has access to do just about anything. The global admin role is also the only role that
allows access to the management account by default.
🪧 If you need to see if an account houses a particular role you can always use the
astra account get <account_name>command.
3. Create the user
Let's just go ahead and create a normal user who has access to all our base accounts.
astra user create -r production_admin -r staging_admin -r development_admin
The user create command is interactive so it will prompt us for user details:
? User's given/first name ?: John
? User's middle initial (Leave empty for none) ?: F
? Family/last name: Doe
? Email: myemail+johndoe@orreri.dev
? Astra thinks the username should be 'johnfdoe' (Y/n): Y
It will then create the user within our Terraform repository and print out the user details:
✓ Created user 'johnfdoe'
│ Username: johnfdoe
│ Astra token ID: SDRbZ
│ Astra secret token: some_api_token_here
│ SSO Login Link: https://d-9b770d4778.awsapps.com/start
│ User docs: https://astra.orreri.dev/docs/cli_reference/init.html
Lastly, we just provide the user with these details (securely) and have them use the astra init command to get started.
🪧 Don't forget to check in the user terraform code that Astra gives you!