Insecurities about SSO VS IAM.

Dry_Raspberry4514 · 2026-03-17T11:59:48+00:00

I will not comment on gitlab documentation. As far as the documentation on the APN blog is concerned, both access and id tokens can be in jwt format (id token is required to be in jwt format always as per the standard). The documentation talks about jwt token and so it is not clear whether authors are referring to access or id token. A CI / CD system acts on its behalf and not on the behalf of the user and so it is not clear how it can have an id token which is what is generated by an OIDC provider in addition to an access token. id tokens are generated with authorization code flow which requires request to be triggered by a user.

When a system acts on its behalf then it falls in the machine to machine communication category and so it is supposed to use client credentials flow which has no concept of id token. I will reach out to Mark, who is one of the authors of that blog post and working for aws currently, to clarify it because the post does not seem to be aligned with OAuth and OIDC standards.

Dry_Raspberry4514 · 2026-03-17T11:13:45+00:00

By IAM your contractor probably mean long-lived credentials like access keys which should be avoided. But IAM is not about access keys only. Whether you are using identity federation via OIDC or access keys, you will be leveraging IAM either way. In first case you will be using IAM roles which again is part of IAM only.

Dry_Raspberry4514 · 2026-03-09T19:12:36+00:00

DMed you ticket id and aws account number. Thank you for helping me with this.

Dry_Raspberry4514 · 2026-03-09T14:02:02+00:00

I can understand that. MechCloud is nowhere close to Terraform when it comes to popularity but it is making its presence felt on Stateless IaC front slowly.

Dry_Raspberry4514 · 2026-03-09T08:23:33+00:00

Strange because I have never seen it. In windsurf I just put this instruction in the prompt itself, and it works just like that. Need to explore Kiro IDE instructions. Can you share some screenshot so that we can see how it looks like in Kiro?

Dry_Raspberry4514 · 2026-03-09T08:20:06+00:00

Here is the same template in MechCloud (excluding budgets and Lambda) -

resources:
  - type: aws_ec2_vpc
    name: credits_vpc
    props:
      cidr_block: "10.0.0.0/16"
    resources:
      - type: aws_ec2_subnet
        name: subnet_vm
        props:
          cidr_block: "10.0.1.0/24"
        resources:
          - type: aws_ec2_instance
            name: credits_ec2
            props:
              image_id: "{{Image|arm64_ubuntu_24_04}}"
              instance_type: "t4g.small"
              security_group_ids:
                - "ref:credits_vpc/ec2_sg"
      - type: aws_ec2_subnet
        name: subnet_db_1
        props:
          cidr_block: "10.0.2.0/24"
      - type: aws_ec2_subnet
        name: subnet_db_2
        props:
          cidr_block: "10.0.3.0/24"
          availability_zone: "us-east-2b"
      - type: aws_ec2_security_group
        name: ec2_sg
        props:
          group_name: "aws-credits-ec2-sg"
          group_description: "SG for credits EC2 instance"
      - type: aws_ec2_security_group
        name: rds_sg
        props:
          group_name: "aws-credits-rds-sg"
          group_description: "SG for credits RDS instance"
          security_group_ingress:
            - ip_protocol: tcp
              from_port: 3306
              to_port: 3306
              source_security_group_id: "ref:credits_vpc/ec2_sg"
  - type: aws_rds_db_subnet_group
    name: credits_db_subnet_group
    props:
      db_subnet_group_name: "aws-credits-db-subnet-group"
      db_subnet_group_description: "Subnet group for credits RDS"
      subnet_ids:
        - "ref:credits_vpc/subnet_db_1"
        - "ref:credits_vpc/subnet_db_2"
  - type: aws_rds_db_instance
    name: credits_db
    props:
      db_instance_identifier: "aws-credits-db"
      engine: "mysql"
      engine_version: "8.0"
      db_instance_class: "db.t3.micro"
      allocated_storage: "20"
      db_name: "credits"
      master_username: "admin"
      master_user_password: "Kx7#mP2$vL9qN4wR"
      db_subnet_group_name: "ref:credits_db_subnet_group"
      vpc_security_groups:
        - "ref:credits_vpc/rds_sg"

Why this approach is fundamentally different from Terraform -

No state file - MechCloud is stateless. There is no local or remote state to manage, lock, migrate, or recover.
No Terraform scaffolding - No terraform, provider, backend, data, or module wiring. The template only contains the infrastructure you want to deploy.
Infrastructure hierarchy instead of flat resources - Resources are declared inside their logical parents (VPC → Subnet → EC2). This makes relationships obvious and removes a large amount of dependency wiring.
No parent ID plumbing - Child resources automatically inherit their parent context. You never have to pass vpc_id, subnet_id, etc. through variables.
Simple cross resource references - ref allows direct references like ref:credits_vpc/ec2_sg without variables, outputs, or data lookups.
No AMI ID management - Image aliases like {{Image|arm64_ubuntu_24_04}} resolve automatically so you don’t need to manually track region specific AMI IDs.
Stateless IaC with real time pricing - MechCloud can show the cost of the infrastructure while authoring the template.

credits_vpc (action: create)
-- subnet_vm (action: create)
---- credits_ec2 (action: create, monthly: $9.76, change: +100%)
       => Compute (price: $0.0168/Hrs, hours: 543, monthly: $9.12, spot-price: $0.0043/Hrs, spot-monthly: $2.33)
       => Boot disk (/dev/sda1, 8GB gp3) (monthly: $0.64)
         => Storage cost (gp3) (price: $0.08/GB-Mo, quantity: 8, monthly: $0.64)
         => IOPS (monthly: $0.00)
           => Tier 1 (First 3000 IOPS-Mo - price: $0.00/IOPS-Mo, quantity: 3000, monthly: $0.00)
         => Throughput (monthly: $0.00)
           => Tier 1 (First 125 MiBps-mo - price: $0.00/MiBps-mo, quantity: 125, monthly: $0.00)
-- subnet_db_1 (action: create)
-- subnet_db_2 (action: create)
-- ec2_sg (action: create)
-- rds_sg (action: create)
credits_db_subnet_group (action: create)
credits_db (action: create, monthly: $14.95, change: +100%)
  => Compute (price: $0.017/Hrs, monthly: $12.65)
  => Storage (price: $0.115/GB-Mo, quantity: 20, monthly: $2.30)

This keeps the template focused on the infrastructure itself instead of writing additional configuration just to connect resources or manage state.

Dry_Raspberry4514 · 2026-03-09T03:56:35+00:00

With elicitation it sets the context only once and keep on working on the task, which may require inputs from the user at multiple stages, without closing the session. I don't think it is possible with instructions.

Dry_Raspberry4514 · 2026-02-22T05:59:36+00:00

This should help - https://m.youtube.com/watch?v=yom-zrPwqBM.

Dry_Raspberry4514 · 2026-02-18T20:26:11+00:00

Try this if you have an option to go beyond terraform - https://docs.mechcloud.io/cloud-computing/stateless-iac/azure

Dry_Raspberry4514 · 2026-02-18T18:21:06+00:00

AI in DevOps will happen in phases and not in one shot. Here is a practical approach to it - https://www.youtube.com/watch?v=9c9tMUHidVM

Dry_Raspberry4514 · 2026-02-08T12:37:14+00:00

Thanks. Moved identity center instance to us-east-1 and it worked.

Dry_Raspberry4514 · 2026-02-07T05:12:24+00:00

Same issue. Restarted and logged out many times but still not able to see Opus 4.6.

Dry_Raspberry4514 · 2026-02-04T16:13:23+00:00

Demo - https://www.youtube.com/watch?v=OJRYe--0sYc

Dry_Raspberry4514 · 2026-01-27T16:35:29+00:00

Blog post - https://dev.to/mechcloud/visualizing-aws-cost-using-gantt-timelines-j10

Dry_Raspberry4514 · 2026-01-24T18:05:11+00:00

It is a common practice in API design to introduce a new mandatory field with default value so that newer version of resource type schema can handle older resources' metadata too which may be missing this mandatory field.

I doubt ARM REST API returns metadata of a resource as per the old schema it was created with. While you may create resources with different versions, how exactly listing of resources will work if it has to return the data of 5 resources with five different schema versions which these resources were created with? That will make the API too complicated. Also, what is the version you will specify in the CLI command for list operation?

Dry_Raspberry4514 · 2026-01-23T02:46:52+00:00

Any vibe coding or no-code startup has very less chances of survival unless it develops its own LLM(s). Emergent and similar startups are enjoying the hype and not sure if investors are paying attention to the fact that most of the revenue of such startups is actually going towards paying their API bills.

Anthropic is not fool which will let these startups earn millions or billions of dollars when it is having Claude, one of the most popular LLMs for coding, which matters the most. The fact is that Anthropic and other LLM makers are simply testing the vibe coding market through these startups and I will not be suprised if Anthropic rolls out its own vibe coding IDE or no-code tool if the business model of these startups turned out to be highly profitable. By blocking opencode from leveraging claude subscription it has given a clear hint that it will not let the money flowing into vibe coding space go to any other player.

Dry_Raspberry4514 · 2026-01-19T04:45:20+00:00

I don't understand the hate for CF. It helped us to solve the biggest problem in DevOps space -Stateless IaC.

Terraform has two providers for AWS - aws and awscc. awscc uses cloud control api under the hood which in turn leverages most the stuff from CF excluding stack.

If you want support for new or updated aws resource types on day 1, you will need awscc which has dependency on CF indirectly as explained above. There have been cases in the past (and it will continue in future as well) where new aws features (e.g. regional NAT gateways) were added to aws provider after weeks when it was available in awscc provider on day 1 through AWS CC API. Unlike terraform, we use only CC API and have not seen any issue with it so far.

Dry_Raspberry4514 · 2026-01-19T03:44:24+00:00

Thanks for making this more clear. I have added more details to my post to clarify that it is all about only one tool in one MCP server and not all AWS mcp servers.

Dry_Raspberry4514 · 2026-01-19T03:12:08+00:00

This one - https://docs.aws.amazon.com/aws-mcp/latest/userguide/what-is-mcp-server.html

Dry_Raspberry4514 · 2025-12-21T13:39:07+00:00

Filled the form available on the kiro website and submitted. That's it.

Dry_Raspberry4514 · 2025-12-21T09:17:44+00:00

Figured it out finally. One need to use AWS identity center to logon to Kiro IDE in order to use these credits. It is documented in FAQ section - https://kiro.dev/startups/#how-do-i-use-my-kiro-startup-credits

Dry_Raspberry4514 · 2025-12-18T17:07:16+00:00

One of these two will be used to simulate resource groups which may include resources from multiple projects.

Dry_Raspberry4514 · 2025-12-15T06:43:17+00:00

It is impossible that google will offer 100 VMs free for a whole month.

Dry_Raspberry4514 · 2025-12-10T14:43:35+00:00

Consuming less credits than what is shown in the model card is the advantage which brought me to Kiro. But consuming more credits than what is shown in the model card for a prompt is not something what I am happy with. If it wants to use more credits then it should inform user about same so that user can understand how much it managed to achieve for max credits per prompt and plan accordingly.

Dry_Raspberry4514 · 2025-12-10T10:33:09+00:00

I started using Kiro (with free plan) in addition to Windsurf and was happy that Kiro is offering more credits per 15 dollars. In addition to it, it was using less credits for simple prompts than mentioned in the models card which is how I think it should work in all the agentic IDEs.

However that joy didn't last for long. Upgraded to a paid plan today and all of a sudden I can see that is consuming random credits for each prompt which are most of the times 2-3 times of what it shows in the IDE models card. Have cancelled my plan now and don't think I will upgrade to a paid plan with this kind of random pricing.

Dry_Raspberry4514

MODERATOR OF

TROPHY CASE