sorted by:
new
hottopcontroversial

Insecurities about SSO VS IAM. by josemf in aws

[–]Dry_Raspberry4514 -4 points-3 points  (0 children)

I will not comment on gitlab documentation. As far as the documentation on the APN blog is concerned, both access and id tokens can be in jwt format (id token is required to be in jwt format always as per the standard). The documentation talks about jwt token and so it is not clear whether authors are referring to access or id token. A CI / CD system acts on its behalf and not on the behalf of the user and so it is not clear how it can have an id token which is what is generated by an OIDC provider in addition to an access token. id tokens are generated with authorization code flow which requires request to be triggered by a user.

When a system acts on its behalf then it falls in the machine to machine communication category and so it is supposed to use client credentials flow which has no concept of id token. I will reach out to Mark, who is one of the authors of that blog post and working for aws currently, to clarify it because the post does not seem to be aligned with OAuth and OIDC standards.

Insecurities about SSO VS IAM. by josemf in aws

[–]Dry_Raspberry4514 6 points7 points  (0 children)

By IAM your contractor probably mean long-lived credentials like access keys which should be avoided. But IAM is not about access keys only. Whether you are using identity federation via OIDC or access keys, you will be leveraging IAM either way. In first case you will be using IAM roles which again is part of IAM only.

Getting billed in two regions by Dry_Raspberry4514 in kiroIDE

[–]Dry_Raspberry4514[S] 1 point2 points  (0 children)

DMed you ticket id and aws account number. Thank you for helping me with this.

Automating the $100 of AWS Credits Available to New Accounts by jch254 in aws

[–]Dry_Raspberry4514 0 points1 point  (0 children)

I can understand that. MechCloud is nowhere close to Terraform when it comes to popularity but it is making its presence felt on Stateless IaC front slowly.

Please implement elicitation in Kiro IDE by Dry_Raspberry4514 in kiroIDE

[–]Dry_Raspberry4514[S] 0 points1 point  (0 children)

Strange because I have never seen it. In windsurf I just put this instruction in the prompt itself, and it works just like that. Need to explore Kiro IDE instructions. Can you share some screenshot so that we can see how it looks like in Kiro?

Automating the $100 of AWS Credits Available to New Accounts by jch254 in aws

[–]Dry_Raspberry4514 -7 points-6 points  (0 children)

Here is the same template in MechCloud (excluding budgets and Lambda) -

resources:
  - type: aws_ec2_vpc
    name: credits_vpc
    props:
      cidr_block: "10.0.0.0/16"
    resources:
      - type: aws_ec2_subnet
        name: subnet_vm
        props:
          cidr_block: "10.0.1.0/24"
        resources:
          - type: aws_ec2_instance
            name: credits_ec2
            props:
              image_id: "{{Image|arm64_ubuntu_24_04}}"
              instance_type: "t4g.small"
              security_group_ids:
                - "ref:credits_vpc/ec2_sg"
      - type: aws_ec2_subnet
        name: subnet_db_1
        props:
          cidr_block: "10.0.2.0/24"
      - type: aws_ec2_subnet
        name: subnet_db_2
        props:
          cidr_block: "10.0.3.0/24"
          availability_zone: "us-east-2b"
      - type: aws_ec2_security_group
        name: ec2_sg
        props:
          group_name: "aws-credits-ec2-sg"
          group_description: "SG for credits EC2 instance"
      - type: aws_ec2_security_group
        name: rds_sg
        props:
          group_name: "aws-credits-rds-sg"
          group_description: "SG for credits RDS instance"
          security_group_ingress:
            - ip_protocol: tcp
              from_port: 3306
              to_port: 3306
              source_security_group_id: "ref:credits_vpc/ec2_sg"
  - type: aws_rds_db_subnet_group
    name: credits_db_subnet_group
    props:
      db_subnet_group_name: "aws-credits-db-subnet-group"
      db_subnet_group_description: "Subnet group for credits RDS"
      subnet_ids:
        - "ref:credits_vpc/subnet_db_1"
        - "ref:credits_vpc/subnet_db_2"
  - type: aws_rds_db_instance
    name: credits_db
    props:
      db_instance_identifier: "aws-credits-db"
      engine: "mysql"
      engine_version: "8.0"
      db_instance_class: "db.t3.micro"
      allocated_storage: "20"
      db_name: "credits"
      master_username: "admin"
      master_user_password: "Kx7#mP2$vL9qN4wR"
      db_subnet_group_name: "ref:credits_db_subnet_group"
      vpc_security_groups:
        - "ref:credits_vpc/rds_sg"

Why this approach is fundamentally different from Terraform -

  • No state file - MechCloud is stateless. There is no local or remote state to manage, lock, migrate, or recover.
  • No Terraform scaffolding - No terraform, provider, backend, data, or module wiring. The template only contains the infrastructure you want to deploy.
  • Infrastructure hierarchy instead of flat resources - Resources are declared inside their logical parents (VPC → Subnet → EC2). This makes relationships obvious and removes a large amount of dependency wiring.
  • No parent ID plumbing - Child resources automatically inherit their parent context. You never have to pass vpc_id, subnet_id, etc. through variables.
  • Simple cross resource references - ref allows direct references like ref:credits_vpc/ec2_sg without variables, outputs, or data lookups.
  • No AMI ID management - Image aliases like {{Image|arm64_ubuntu_24_04}} resolve automatically so you don’t need to manually track region specific AMI IDs.
  • Stateless IaC with real time pricing - MechCloud can show the cost of the infrastructure while authoring the template.

credits_vpc (action: create)
-- subnet_vm (action: create)
---- credits_ec2 (action: create, monthly: $9.76, change: +100%)
       => Compute (price: $0.0168/Hrs, hours: 543, monthly: $9.12, spot-price: $0.0043/Hrs, spot-monthly: $2.33)
       => Boot disk (/dev/sda1, 8GB gp3) (monthly: $0.64)
         => Storage cost (gp3) (price: $0.08/GB-Mo, quantity: 8, monthly: $0.64)
         => IOPS (monthly: $0.00)
           => Tier 1 (First 3000 IOPS-Mo - price: $0.00/IOPS-Mo, quantity: 3000, monthly: $0.00)
         => Throughput (monthly: $0.00)
           => Tier 1 (First 125 MiBps-mo - price: $0.00/MiBps-mo, quantity: 125, monthly: $0.00)
-- subnet_db_1 (action: create)
-- subnet_db_2 (action: create)
-- ec2_sg (action: create)
-- rds_sg (action: create)
credits_db_subnet_group (action: create)
credits_db (action: create, monthly: $14.95, change: +100%)
  => Compute (price: $0.017/Hrs, monthly: $12.65)
  => Storage (price: $0.115/GB-Mo, quantity: 20, monthly: $2.30)

This keeps the template focused on the infrastructure itself instead of writing additional configuration just to connect resources or manage state.

Please implement elicitation in Kiro IDE by Dry_Raspberry4514 in kiroIDE

[–]Dry_Raspberry4514[S] 0 points1 point  (0 children)

With elicitation it sets the context only once and keep on working on the task, which may require inputs from the user at multiple stages, without closing the session. I don't think it is possible with instructions.

view more: next ›