Here's our product and community news for March.

Community Newsletter: March 2024

<h1>Community Newsletter: March 2024</h1>
<p>Hey everyone! Shwetha here with the latest tech update. If you're eager for deeper insights and real-time updates, make sure to join our <a href="https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg">Slack community</a> or follow us on <a href="https://twitter.com/CommonFateTech">Twitter</a>.</p>
<p>Here's what's been happening in the world of Common Fate over the past month:</p>
<h2>DataStax Integration</h2>
<p>We've introduced a built-in <a href="https://www.datastax.com/">DataStax</a> Integration for seamless, just-in-time access to roles within DataStax. Learn more about the setup and process <a href="https://docs.commonfate.io/integrations/datastax">here</a>. Want to see this in action? Book a live demo using <a href="https://savvycal.com/common-fate/d3c7f2e9">this link</a>.</p>
<p><img src="https://mcusercontent.com/69860be79239e5e8d492037c9/images/6dee01e1-9d74-0060-e64f-9947eba145f3.png" alt=""></p>
<h2>Authorization Logs</h2>
<p>We have added authorization logs to inspect and debug authorization events within Common Fate. Each time an authorization decision is made, Common Fate stores a log of the evaluation. In <a href="https://docs.commonfate.io/observability/authorization">this guide</a>, you’ll learn how to use authorization logs to debug your authorization policies.</p>
<p><img src="https://mcusercontent.com/69860be79239e5e8d492037c9/images/79f55254-4a0c-f4e9-f13b-7a1a6a6f67d6.png" alt=""></p>
<h2>Fourtheorem Blog Post</h2>
<p>We were recently featured on Fourtheorem’s blog post on Managing AWS accounts like a PRO, which goes through the process of setting up IAM Identity Center with Granted to obtain credentials through Granted.</p>
<p><a href="https://fourtheorem.com/managing-aws-accounts-part-1/">You can read the blog post here</a></p>
<p><img src="https://mcusercontent.com/69860be79239e5e8d492037c9/images/21cbc61d-de82-86e0-6380-71a03eaeb007.png" alt=""></p>
<h2>Granted Updates</h2>
<p>In our ongoing commitment to enhancing Granted, we're excited to share the latest updates:</p>
<p><strong>Added support for refreshable AWS SSO:</strong></p>
<ul>
<li>You can now add <code>granted_sso_registration_scopes = sso:account:access</code> to your <code>~/.aws/config</code>, which will cause Granted to respect the <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html">session duration</a> in IAM Identity Center. This can be extended to prompt less frequently. Supplying the <code>sso:account:access</code> scope will cause IAM Identity Center to return a refreshable access token, with a total allowed session time in accordance with your configured AWS SSO session length.</li>
</ul>
<p><strong>IAM Federated logins now have attributable username in Cloudtrail</strong></p>
<ul>
<li>The changes refactor the way federation token ID is used for AWS IAM credentials. Instead of relying on the <code>userID</code> which was previously parsed, the code now uses the <code>userName</code> which is more easily attributable to the IAM user name in the Cloudtrail events list view. Thank you to <a href="https://github.com/matthewhembree">@matthewhembree</a> for their contributors on this.</li>
</ul>
<p>A big shoutout to our first-time contributors:</p>
<ul>
<li><a href="https://github.com/CodyDunlap">@CodyDunlap</a> made their first contribution in <a href="https://github.com/common-fate/granted/pull/611">#611</a></li>
<li><a href="https://github.com/matthewhembree">@matthewhembree</a> made their first contribution in <a href="https://github.com/common-fate/granted/pull/626">#626</a></li>
<li><a href="https://github.com/keymon">@keymon</a> made their first contribution in <a href="https://github.com/common-fate/granted/pull/619">#619</a></li>
</ul>
<p>For a comprehensive list of changes, please visit our <a href="https://github.com/common-fate/granted/releases">changelog</a>.</p>
<p>Your voice shapes our tools. We value your feedback, suggestions, and ideas, so please don't hesitate to get in touch.</p>
<p>Until next time,</p>
<p>The Common Fate Team</p>


# Common Fate Product Updates

Today we’re releasing new integrations for Common Fate, as well as an improved support experience for your end users using our access platform.

## BigQuery Access Integration

Common Fate now integrates with BigQuery to provision Just-In-Time access to data. The integration creates an inventory of BigQuery resources across a Google Cloud organization and allows access to be requested to individual Tables or Datasets.

[Read our integration guide here.](https://docs.commonfate.io/integrations/bigquery)

<img
  src="/blog_posts/bigquery.png"
  style={{
    clipPath: "inset(5px 5px 5px 5px)",
  }}
/>

## GCP Organization-Level Access

We’ve added support for provisioning Just-In-Time access at the organization level.

[Read our integration guide here.](https://docs.commonfate.io/integrations/gcp#organization-level-access)

## Embedded Product Support

You can now reach out to Common Fate support directly within the web console for assistance and feedback.

<img
  src="/blog_posts/embedded_product_support.png"
  style={{
    clipPath: "inset(5px 5px 5px 5px)",
  }}
/>

## **Webhook Integrations**

Connect Common Fate to other security tools or build custom integrations using our new webhook integration. Using webhooks you can stream audit log or authorization events to any HTTP endpoint. Get started: [Webhook Integration Guide](https://docs.commonfate.io/integrations/webhook).

![](/blog_posts/webhook.png)

## CLI improvements

The [Common Fate CLI](https://github.com/common-fate/cli) now automatically populates your local AWS configuration file when access is provisioned.

![](/blog_posts/cli_improvements.png)


Here's our most recent product update

Common Fate Product Updates


At Common Fate we're big fans of [authorization-as-code](https://docs.commonfate.io/authz/introduction). Treating your authorization policies as source code means you can test and review changes using your existing tools like Terraform and GitHub. We use [Cedar](http://www.cedarpolicy.com) as the authorization-as-code framework in [our product](https://docs.commonfate.io/introduction).

Here's an example Cedar policy you might write:

```cedar
@advice("You can request access because you're currently on-call.")
permit (
  principal in PagerDuty::OnCall::"PDXYZ123",
  action == Access::Action::"Request",
  resource is AWS::IDC::AccountEntitlement
)
when
{
    resource.role == AWS::IDC::PermissionSet::"arn:aws:sso:::permissionSet/ssoins-12345abcdef/ps-12345abcdef" &&
    resource.target in AWS::OrgUnit::"ou-123abc" &&
    resource.target.tags.contains({key: "department", value: "engineering"})
};
```

As you can see above, Cedar is **suuper** flexible. We can slice and dice authorization based on the AWS account tags, our AWS organization hierarchy, and our users' on-call status in PagerDuty. Pretty neat!

What's _not_ neat though is making typos in policies. If I fat-finger my policy code and write `Access::Action::"Reqeust"` instead of `Access::Action::"Request"`, Cedar won't match the action and I'll see an Access Denied.

<figure>
  <img
    src="/blog_posts/validating-cedar-with-github-actions/authorization-log.png"
    alt="Screenshot of authorization logs inside Common Fate showing many 'Access Denied' events"
  ></img>
  <figcaption>
  This is what our <a href="https://docs.commonfate.io/observability/authorization">
  authorization log</a> looks like when you fat-finger a policy.
  </figcaption>
</figure>

Fortunately, Cedar has some great tooling to validate your policies before they are deployed. We'll run through some of this tooling below, including a ✨ brand new ✨ [GitHub Action we've just released](https://github.com/marketplace/actions/validate-cedar-policies) to validate policies automatically.

## Validating locally

Cedar has support for type definitions similar to programming languages like [TypeScript](https://www.typescriptlang.org/). In Cedar, you use a [schema file](https://docs.cedarpolicy.com/schema/schema.html) to define the principals, actions, and resources used for authorization.

Writing a schema is straightforward, but because we want to get stuck into validation you can use one we've prepared earlier. [Create a new GitHub respository based on our Cedar template repository here](https://github.com/new?template_name=cedar-github-actions-testing-example&template_owner=common-fate). Once you've created it, clone the repository to your local machine.

The repository contains a demo policy, allowing everyone to view `Document` resources:

```cedar
permit (
    principal,
    action == Action::"View",
    resource is Document
);
```

To get set up for local policy validation we'll [install Rust](https://www.rust-lang.org/tools/install), then install the Cedar CLI:

```bash
cargo install cedar-policy-cli
```

Then, we can validate policies by running `cedar validate`:

```
❯ cedar validate --schema test.cedarschema.json --policies demo.cedar
  ☞ policy set validation passed
  ╰─▶ no errors or warnings
```

It's passing!

This is great, but it would be even better if we could have GitHub Actions run policy validations automatically when we make changes.

## Validating in GitHub Actions

Today we're releasing a [GitHub Action](https://github.com/marketplace/actions/validate-cedar-policies) allowing you to check for invalid policies as part of your Continuous Integration (CI) pipelines. Our GitHub Action adds annotations to your Pull Requests showing precisely where issues are.

![Screenshot of GitHub annotations created by the Cedar Validate action](/blog_posts/validating-cedar-with-github-actions/annotation-screenshot.png)

You can add the action to your GitHub Actions workflows by adding a `.github/workflows/cedar.yml` file containing the following:

```yaml
name: "Test"

on: [push]

jobs:
  cedar:
    name: Cedar
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Validate Policies
        uses: common-fate/cedar-validate-action@v1
        with:
          schema-file: ./example.cedarschema.json
          policy-files: "**/*.cedar"
```

## Policy validation in Common Fate

If you'd like to learn more about validating policies in Common Fate, you can read our [guide on developing authorization policies with continuous integration (CI)](https://docs.commonfate.io/authz/ci).

## What's next

We're planning on introducing additional tooling to help unit test Cedar policies using GitHub Actions. If you're interested in discussing this we'd love to hear from you in our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) - or you can follow us on [X](https://twitter.com/CommonFateTech) to stay updated.


A guide on how to validate Cedar authorization policies using GitHub Actions.

Validating Cedar policies with GitHub Actions


# Community Newsletter: March 2024

Hey everyone! Shwetha here with the latest tech update. If you're eager for deeper insights and real-time updates, make sure to join our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) or follow us on [Twitter](https://twitter.com/CommonFateTech).

Here's what's been happening in the world of Common Fate over the past month:

## DataStax Integration

We've introduced a built-in [DataStax](https://www.datastax.com/) Integration for seamless, just-in-time access to roles within DataStax. Learn more about the setup and process [here](https://docs.commonfate.io/integrations/datastax). Want to see this in action? Book a live demo using [this link](https://savvycal.com/common-fate/d3c7f2e9).

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/6dee01e1-9d74-0060-e64f-9947eba145f3.png)

## Authorization Logs

We have added authorization logs to inspect and debug authorization events within Common Fate. Each time an authorization decision is made, Common Fate stores a log of the evaluation. In [this guide](https://docs.commonfate.io/observability/authorization), you’ll learn how to use authorization logs to debug your authorization policies.

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/79f55254-4a0c-f4e9-f13b-7a1a6a6f67d6.png)

## Fourtheorem Blog Post

We were recently featured on Fourtheorem’s blog post on Managing AWS accounts like a PRO, which goes through the process of setting up IAM Identity Center with Granted to obtain credentials through Granted.

[You can read the blog post here](https://fourtheorem.com/managing-aws-accounts-part-1/)

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/21cbc61d-de82-86e0-6380-71a03eaeb007.png)

## Granted Updates

In our ongoing commitment to enhancing Granted, we're excited to share the latest updates:

**Added support for refreshable AWS SSO:**

- You can now add `granted_sso_registration_scopes = sso:account:access` to your `~/.aws/config`, which will cause Granted to respect the [session duration](https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html) in IAM Identity Center. This can be extended to prompt less frequently. Supplying the `sso:account:access` scope will cause IAM Identity Center to return a refreshable access token, with a total allowed session time in accordance with your configured AWS SSO session length.

**IAM Federated logins now have attributable username in Cloudtrail**

- The changes refactor the way federation token ID is used for AWS IAM credentials. Instead of relying on the `userID` which was previously parsed, the code now uses the `userName` which is more easily attributable to the IAM user name in the Cloudtrail events list view. Thank you to [@matthewhembree](https://github.com/matthewhembree) for their contributors on this.

A big shoutout to our first-time contributors:

- [@CodyDunlap](https://github.com/CodyDunlap) made their first contribution in [#611](https://github.com/common-fate/granted/pull/611)
- [@matthewhembree](https://github.com/matthewhembree) made their first contribution in [#626](https://github.com/common-fate/granted/pull/626)
- [@keymon](https://github.com/keymon) made their first contribution in [#619](https://github.com/common-fate/granted/pull/619)

For a comprehensive list of changes, please visit our [changelog](https://github.com/common-fate/granted/releases).

Your voice shapes our tools. We value your feedback, suggestions, and ideas, so please don't hesitate to get in touch.

Until next time,

The Common Fate Team



# Community Newsletter: February 2024

Hey everyone! Shwetha here with the latest tech update. If you're eager for deeper insights and real-time updates, make sure to join our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) or follow us on [Twitter](https://twitter.com/CommonFateTech).

Here's what's been happening in the world of Common Fate over the past month:

## **Common Fate IAM Analytics**

Common Fate now provides analytics to identify unused entitlements. We can audit trails across each cloud account and create a centralized usage report. Your cloud provider has some built-in services to provide IAM analytics, like **[AWS IAM Access Analyzer](https://aws.amazon.com/iam/access-analyzer/)**. Our analytics are different in that our results span usage across all of your cloud accounts, rather than findings for an individual IAM role.

In practice, we’ve found this to be complimentary with analysis tooling like IAM Access Analyzer. Currently, we support entitlements analysis for AWS IAM Identity Center. Want to learn more? Book a live demo using [this link](https://savvycal.com/common-fate/d3c7f2e9).

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/619552eb-8f5d-4a60-ec6f-4ba345683955.png)

## **Common Fate's New and Improved UI**

We're excited to announce the upgraded web UI for our platform, enhancing your experience, particularly focusing on streamlining the Access Requests process. This change also makes it possible to request multiple entitlements at once.

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/a3ae3a44-601a-3416-72fe-2ec5b984a0ae.png)

## **Sunsetting Glide**

Our open-source project, [Glide](https://github.com/common-fate/glide), will be transitioning to a sunset phase, with the project being archived in May. Glide will be put into maintenance now and the project will be archived on 16th May 2024. During the maintenance period, we will publish critical operations or security fixes where required. After the maintenance period, we will archive the project and the project source code will become read-only.

We appreciate all of you for contributing to Glide and our community. However, as a small team, keeping up with multiple projects has proven to strain our resources and is not sustainable. If you are a current Glide user and would like to transition to our identity platform, please contact us, and we'll ensure your transition is smooth and provide support throughout the process. We have more details on why we had to make these decisions in our [blog post here](https://www.commonfate.io/blog/sunsetting-glide).

Your voice shapes our tools. We value your feedback, suggestions, and ideas, so please don't hesitate to get in touch.

Until next time,

The Common Fate Team
