Enabling Features

Some Identity Federation for AWS features must be enabled before your team can use them. Explore the available features, and find out how to enable them on your site. You can enable/disable each feature individually at any time.

Note that features marked experimental represent work-in-progress and are not officially supported by Utoolity. They may be incomplete, or may change before being incorporated into the product, or removed eventually.

That being said, experimental features allow us to gather feedback on "work-in-progress" features to help us improve them - please get in touch for any issues, questions or suggestions you might have.

On this page:

1 Disable implicit connector visibility for administrators
- 1.1 No security barrier
2 Enable connector management by restricted administrators
3 Enable IAM role for EC2/ECS credentials provider
- 3.1 Security assessment
4 Enable IAM role for EKS service accounts credentials provider
5 Enable AWS China partition experimental
6 Enable AWS GovCloud (US) partition experimental

Disable implicit connector visibility for administrators

By default, administrators can always edit, see and use all connectors, whereas visibility and usage of connectors in the 'AWS Resources' menu, the connector selection widget, and via the REST API is scoped to the selected groups for all non administrators to allow the delegation of temporary AWS credentials retrieval.

While this behavior properly reflects the security barriers in the Atlassian Server universe (where administrators are generally able to get access to all data one way or another), it turns out to be a usability flaw for scenarios where many users have been granted administrative rights to overcome insufficient permission granularity in the host product (e.g. Bamboo before the permission changes introduced in release 6.2) - as a preliminary workaround, this feature flag allows to change the default behavior as follows:

by default, members of the administrator group (e.g. bamboo-admin) will not be able to see and use any connectors via the REST API or dependent resources like the 'AWS Resources' menu and the connector selection widgets anymore, except if explicitly being granted access by including the resp. group within the Groups selection
regardless, members of the administrator group (e.g. bamboo-admin) will still be able to edit all connectors via the configuration screen

No security barrier

This change mostly comprises a usability improvement, but not an impenetrable security barrier, because administrators can still grant themselves access to connectors at any time simply by adjusting the connector to group associations or their own group membership etc.!

Refer to https://utoolity.atlassian.net/browse/UAA-298 for more details regarding the relation of this preliminary workaround to more far reaching possible changes to Identity Federation for AWS permission granularity in future release.

Enable connector management by restricted administrators

By default, only system administrator can configure AWS connectors, but you can also enable connector management by restricted administrators. This is the first step in our journey to move AWS credentials management into user space while retaining tight administrative control where desired.

Enable IAM role for EC2/ECS credentials provider

If you have provisioned your Atlassian workloads on Amazon EC2 (for example via the Atlassian Data Center on AWS Quick Starts), Amazon ECS, or AWS Fargate, you can benefit from the convenience and flexibility of providing AWS security credentials via IAM roles for Amazon EC2 instances and IAM roles for Amazon ECS tasks by enabling the IAM role for EC2/ECS credentials provider.

EKS Pod Identities

The IAM role for EC2/ECS credentials provider also supports EKS Pod Identities.

Security assessment

The convenience of IAM roles for Amazon EC2 instances have the downside of a less explicit security posture and more indirect regression potential, as further outlined in https://utoolity.atlassian.net/browse/UAA-49 . The feature currently requires an opt-in accordingly, and we also recommend the principal type 'Assume Role' rather than 'Provided' to gain the actual permissions via another role instead of the one directly attached to the EC2 instance. Either way, please make sure you have thoroughly assessed the security configuration of your underlying EC2 instance(s) and the attached or assumed IAM roles.

Enable IAM role for EKS service accounts credentials provider

If you have provisioned your Atlassian workloads on Amazon Elastic Kubernetes Service (Amazon EKS), you can benefit from the convenience and flexibility of providing AWS security credentials via IAM roles for service accounts (IRSA) by enabling the IAM role for EKS service accounts credentials provider.

Alternatively, you can also enable the IAM role for EC2/ECS credentials provider to provide temporary AWS security credentials on Amazon EKS via EKS Pod Identities.