Simplify authentication process
Opened this issue · 3 comments
I've been using sink for other projects (very handy!), and I think there's potential for it to be generally useful, but setting up the authentication with a new user / file is a huge friction point.
I wonder if there is an easier way (maybe like a sink auth that automates the process at least a little bit).
Maybe out of scope, but would be useful to have.
I think you might be describing something like the Google credentials setup at TT. I think it authorizes file access through actual users instead of through a service account. From what I remember, there was a slightly longer initial setup for less friction for each individual use.
Since we set this up to authenticate with a service account, I don't think there's a good way for the service account to authorize itself to have access to files. We need the user to add the service account to a new file (unless the file is inside a folder that the service account has overall access to).
I do plan on spending some time revisiting Google authentication this semester through #35 and setting up a new service account to move away from the sourdough account. But I do agree that it may also be worthwhile to look into a refactor of our authentication/authorization flow.
Setting up a new service account in it of itself is probably a pain point if we want to renew service accounts every year for security reasons. This process (along with AWS IAM setup) may benefit from some automation with infrastructure as code.
Yeah I wonder if there's some way to even just automate the creation of a service account.
This is outside the Daily's use case, but I often want to use sink for one-off projects where I am collaborating with others. I don't want to reuse a service account, since I might want some collaborators to have access to files for one project but not another.
Using actual users is probably preferable if that can be done in an ergonomic way, but one alternative might look something like this:
There is an admin service account that has the permission to create and manage service accounts. Users who have admin credentials can then run sink create-auth <name> to create a new consumer user <name> and creates a corresponding <name>.json file, which can then be distributed to whoever.
This feels pretty messy though, so hopefully there's a better way of going about this.