Manage your IAM resources via Terraform? Now you can manage your Common Fate Access Rules via your Terraform workflow too!

Common Fate Terraform Provider

Don't like reading? Check out a quick demonstration <a href="https://www.loom.com/share/5ee3324326024854bfa5a0adf1223a58">here</a>.
Manage your IAM resources via Terraform? Now you can manage your Common Fate Access Rules via your Terraform workflow too!
Currently, the only way for users of Common Fate to create Access Rules is via the admin panel on the frontend. We chatted with our community and this seemed like a pain point. So we listened, and in <a href="https://github.com/common-fate/rfds/discussions/9">RFD #9</a> we discussed the idea of a Common Fate Terraform Provider.
Fast forward a few weeks, and we have a freshly baked Terraform Provider!
So what does this all actually mean?
<ul>
<li>Quickly and programmatically manage the life cycle of Access Rules with Terraform.</li>
<li>Closely couple the creation of Access Rules with other cloud resources, like AWS IAM Identity Centre resources.</li>
</ul>
Here’s an example:
<pre><code class="language-hcl">resource "commonfate_access_rule" "s3-example" {
 name ="s3ListBuckets"
 description="Allows users to view buckets in AWS"
 groups=["common_fate_administrators"]
 target=[
 {
 field="accountId"
 value=["123456789012"]
 },
 {
 field="permissionSetArn"
 value=[aws_ssoadmin_permission_set.example.arn]
 }
 ]
 target_provider_id="aws-sso-v2"
 duration="3600"
}
</code></pre>
Great! Now how do you get started? If you already have a Common Fate deployment <a href="https://registry.terraform.io/providers/common-fate/commonfate/latest/docs">visit the docs</a>. Don’t have a Common Fate deployment yet? Get started in 5 minutes <a href="https://docs.commonfate.io/common-fate/deploying-common-fate/deploying-common-fate">here</a>!
Let us know how you go, we’d love to hear from you!

At Common Fate we're big fans of [authorization-as-code](https://docs.commonfate.io/authz/introduction). Treating your authorization policies as source code means you can test and review changes using your existing tools like Terraform and GitHub. We use [Cedar](http://www.cedarpolicy.com) as the authorization-as-code framework in [our product](https://docs.commonfate.io/introduction).

Here's an example Cedar policy you might write:

```cedar
@advice("You can request access because you're currently on-call.")
permit (
 principal in PagerDuty::OnCall::"PDXYZ123",
 action == Access::Action::"Request",
 resource is AWS::IDC::AccountEntitlement
)
when
{
 resource.role == AWS::IDC::PermissionSet::"arn:aws:sso:::permissionSet/ssoins-12345abcdef/ps-12345abcdef" &&
 resource.target in AWS::OrgUnit::"ou-123abc" &&
 resource.target.tags.contains({key: "department", value: "engineering"})
};
```

As you can see above, Cedar is **suuper** flexible. We can slice and dice authorization based on the AWS account tags, our AWS organization hierarchy, and our users' on-call status in PagerDuty. Pretty neat!

What's _not_ neat though is making typos in policies. If I fat-finger my policy code and write `Access::Action::"Reqeust"` instead of `Access::Action::"Request"`, Cedar won't match the action and I'll see an Access Denied.

<figure>
 <img
 src="/blog_posts/validating-cedar-with-github-actions/authorization-log.png"
 alt="Screenshot of authorization logs inside Common Fate showing many 'Access Denied' events"
 ></img>
 <figcaption>
 This is what our <a href="https://docs.commonfate.io/observability/authorization">
 authorization log</a> looks like when you fat-finger a policy.
 </figcaption>
</figure>

Fortunately, Cedar has some great tooling to validate your policies before they are deployed. We'll run through some of this tooling below, including a ✨ brand new ✨ [GitHub Action we've just released](https://github.com/marketplace/actions/validate-cedar-policies) to validate policies automatically.

## Validating locally

Cedar has support for type definitions similar to programming languages like [TypeScript](https://www.typescriptlang.org/). In Cedar, you use a [schema file](https://docs.cedarpolicy.com/schema/schema.html) to define the principals, actions, and resources used for authorization.

Writing a schema is straightforward, but because we want to get stuck into validation you can use one we've prepared earlier. [Create a new GitHub respository based on our Cedar template repository here](https://github.com/new?template_name=cedar-github-actions-testing-example&template_owner=common-fate). Once you've created it, clone the repository to your local machine.

The repository contains a demo policy, allowing everyone to view `Document` resources:

```cedar
permit (
 principal,
 action == Action::"View",
 resource is Document
);
```

To get set up for local policy validation we'll [install Rust](https://www.rust-lang.org/tools/install), then install the Cedar CLI:

```bash
cargo install cedar-policy-cli
```

Then, we can validate policies by running `cedar validate`:

```
❯ cedar validate --schema test.cedarschema.json --policies demo.cedar
 ☞ policy set validation passed
 ╰─▶ no errors or warnings
```

It's passing!

This is great, but it would be even better if we could have GitHub Actions run policy validations automatically when we make changes.

## Validating in GitHub Actions

Today we're releasing a [GitHub Action](https://github.com/marketplace/actions/validate-cedar-policies) allowing you to check for invalid policies as part of your Continuous Integration (CI) pipelines. Our GitHub Action adds annotations to your Pull Requests showing precisely where issues are.

![Screenshot of GitHub annotations created by the Cedar Validate action](/blog_posts/validating-cedar-with-github-actions/annotation-screenshot.png)

You can add the action to your GitHub Actions workflows by adding a `.github/workflows/cedar.yml` file containing the following:

```yaml
name: "Test"

on: [push]

jobs:
 cedar:
 name: Cedar
 runs-on: ubuntu-latest
 steps:
 - name: Checkout
 uses: actions/checkout@v4

 - name: Validate Policies
 uses: common-fate/cedar-validate-action@v1
 with:
 schema-file: ./example.cedarschema.json
 policy-files: "**/*.cedar"
```

## Policy validation in Common Fate

If you'd like to learn more about validating policies in Common Fate, you can read our [guide on developing authorization policies with continuous integration (CI)](https://docs.commonfate.io/authz/ci).

## What's next

We're planning on introducing additional tooling to help unit test Cedar policies using GitHub Actions. If you're interested in discussing this we'd love to hear from you in our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) - or you can follow us on [X](https://twitter.com/CommonFateTech) to stay updated.

A guide on how to validate Cedar authorization policies using GitHub Actions.

Validating Cedar policies with GitHub Actions


# Community Newsletter: March 2024

Hey everyone! Shwetha here with the latest tech update. If you're eager for deeper insights and real-time updates, make sure to join our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) or follow us on [Twitter](https://twitter.com/CommonFateTech).

Here's what's been happening in the world of Common Fate over the past month:

## DataStax Integration

We've introduced a built-in [DataStax](https://www.datastax.com/) Integration for seamless, just-in-time access to roles within DataStax. Learn more about the setup and process [here](https://docs.commonfate.io/integrations/datastax). Want to see this in action? Book a live demo using [this link](https://savvycal.com/common-fate/d3c7f2e9).

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/6dee01e1-9d74-0060-e64f-9947eba145f3.png)

## Authorization Logs

We have added authorization logs to inspect and debug authorization events within Common Fate. Each time an authorization decision is made, Common Fate stores a log of the evaluation. In [this guide](https://docs.commonfate.io/observability/authorization), you’ll learn how to use authorization logs to debug your authorization policies.

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/79f55254-4a0c-f4e9-f13b-7a1a6a6f67d6.png)

## Fourtheorem Blog Post

We were recently featured on Fourtheorem’s blog post on Managing AWS accounts like a PRO, which goes through the process of setting up IAM Identity Center with Granted to obtain credentials through Granted.

[You can read the blog post here](https://fourtheorem.com/managing-aws-accounts-part-1/)

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/21cbc61d-de82-86e0-6380-71a03eaeb007.png)

## Granted Updates

In our ongoing commitment to enhancing Granted, we're excited to share the latest updates:

**Added support for refreshable AWS SSO:**

- You can now add `granted_sso_registration_scopes = sso:account:access` to your `~/.aws/config`, which will cause Granted to respect the [session duration](https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html) in IAM Identity Center. This can be extended to prompt less frequently. Supplying the `sso:account:access` scope will cause IAM Identity Center to return a refreshable access token, with a total allowed session time in accordance with your configured AWS SSO session length.

**IAM Federated logins now have attributable username in Cloudtrail**

- The changes refactor the way federation token ID is used for AWS IAM credentials. Instead of relying on the `userID` which was previously parsed, the code now uses the `userName` which is more easily attributable to the IAM user name in the Cloudtrail events list view. Thank you to [@matthewhembree](https://github.com/matthewhembree) for their contributors on this.

A big shoutout to our first-time contributors:

- [@CodyDunlap](https://github.com/CodyDunlap) made their first contribution in [#611](https://github.com/common-fate/granted/pull/611)
- [@matthewhembree](https://github.com/matthewhembree) made their first contribution in [#626](https://github.com/common-fate/granted/pull/626)
- [@keymon](https://github.com/keymon) made their first contribution in [#619](https://github.com/common-fate/granted/pull/619)

For a comprehensive list of changes, please visit our [changelog](https://github.com/common-fate/granted/releases).

Your voice shapes our tools. We value your feedback, suggestions, and ideas, so please don't hesitate to get in touch.

Until next time,

The Common Fate Team


Here's our product and community news for March.

Community Newsletter: March 2024


# Community Newsletter: February 2024

Hey everyone! Shwetha here with the latest tech update. If you're eager for deeper insights and real-time updates, make sure to join our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) or follow us on [Twitter](https://twitter.com/CommonFateTech).

Here's what's been happening in the world of Common Fate over the past month:

## **Common Fate IAM Analytics**

Common Fate now provides analytics to identify unused entitlements. We can audit trails across each cloud account and create a centralized usage report. Your cloud provider has some built-in services to provide IAM analytics, like **[AWS IAM Access Analyzer](https://aws.amazon.com/iam/access-analyzer/)**. Our analytics are different in that our results span usage across all of your cloud accounts, rather than findings for an individual IAM role.

In practice, we’ve found this to be complimentary with analysis tooling like IAM Access Analyzer. Currently, we support entitlements analysis for AWS IAM Identity Center. Want to learn more? Book a live demo using [this link](https://savvycal.com/common-fate/d3c7f2e9).

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/619552eb-8f5d-4a60-ec6f-4ba345683955.png)

## **Common Fate's New and Improved UI**

We're excited to announce the upgraded web UI for our platform, enhancing your experience, particularly focusing on streamlining the Access Requests process. This change also makes it possible to request multiple entitlements at once.

![](https://mcusercontent.com/69860be79239e5e8d492037c9/images/a3ae3a44-601a-3416-72fe-2ec5b984a0ae.png)

## **Sunsetting Glide**

Our open-source project, [Glide](https://github.com/common-fate/glide), will be transitioning to a sunset phase, with the project being archived in May. Glide will be put into maintenance now and the project will be archived on 16th May 2024. During the maintenance period, we will publish critical operations or security fixes where required. After the maintenance period, we will archive the project and the project source code will become read-only.

We appreciate all of you for contributing to Glide and our community. However, as a small team, keeping up with multiple projects has proven to strain our resources and is not sustainable. If you are a current Glide user and would like to transition to our identity platform, please contact us, and we'll ensure your transition is smooth and provide support throughout the process. We have more details on why we had to make these decisions in our [blog post here](https://www.commonfate.io/blog/sunsetting-glide).

Your voice shapes our tools. We value your feedback, suggestions, and ideas, so please don't hesitate to get in touch.

Until next time,

The Common Fate Team


Here's our product and community news for February.

Community Newsletter: February 2024


Today, we would like to make some important announcements:

1. Our open source project Glide is being sunset.
2. Our team’s focus will shift exclusively to Common Fate’s identity platform, which also supports a JIT access use case.

## Sunsetting Glide

We have decided to sunset the Glide open source project.

Glide will be put into maintenance now and the project will be archived on 16 May 2024. During the maintenance period, we will publish critical operations or security fixes where required. At the conclusion of the maintenance period, we will archive the project and the project source code will become read-only.

Existing releases of Glide will remain published for the foreseeable future, including our CloudFormation deployment templates and `gdeploy` deployment CLI.

The main reasons for this decision are:

1. Our broader cloud identity security product, Common Fate, was to be built on top of Glide. During 2023 following user feedback and months of experimentation, we made a number of technical decisions and changes to the Common Fate product. Our codebase has diverged from the open source Glide project.
2. As a result, the differences that now exist between Glide and Common Fate would require us to resource and support both of these projects separately. We are still a small team and this has proven to be a strain on our resources and is not sustainable.
3. We believe that the changes we made to Common Fate during 2023 have improved the product and the overall user experience. This is a great outcome and paves the way for us to build the best product we can.

## Common Fate - Identity Platform

Our goal at Common Fate is to build an identity security platform fit for modern cloud-native teams. We believe that Common Fate’s identity platform is the way we will realise our goal and ultimately provide the greatest value for the greatest number of teams. As such, all of our team’s focus will be on this product from now onward.

Within the identity platform, we currently support the following use cases:

- JIT access for AWS
- JIT access for GCP
- Secure and auditable access for AWS RDS databases
- Risk monitoring and least privilege analytics for AWS Identity Centre

In future, we intend to expand our library of integrations, as well as expand out to non-human identities (more on this in another blog post).

You can read the docs for Common Fate’s identity platform [here](https://docs.commonfate.io/common-fate/introduction/).

## Next Steps

We understand that this announcement could create challenges for your company and we’re here to help. If you need assistance or would like to discuss this with us, please email support@commonfate.io or ping us in our [community Slack](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg). We’re happy to take calls and help your team through this transition as best as we can.

If your team would like to transition from Glide to Common Fate’s identity platform, we’re on hand to help. We’re committed to offering the follow to minimise interruption:

- Hands on migration support.
- Introductory pricing discounts and premium support.
- Glide support up until 16 May 2024.

We appreciate the support of the community to date and look forward to building something great and continuing to service you all.

## FAQs

1. When will Glide be sunset?

   Glide will be immediately put into maintenance mode, with the project archived on 16 May 2024. After this date, the Common Fate team will no longer support or maintain the project.

2. What will happen to past versions of Glide?

   These versions will remain available for the foreseeable future and your team can continue to use them, although they will be unsupported by our core team beyond 16 May 2024.

3. How can I get support?

   The Common Fate team will offer support up until 16 May 2024. If you need support during this transition, please email support@commonfate.io or join our [Slack community](https://join.slack.com/t/commonfatecommunity/shared_invite/zt-q4m96ypu-_gYlRWD3k5rIsaSsqP7QMg) and ask one of our team members for help.

4. What happens to Granted?

   Nothing. Granted will continue to be supported and maintained by the Common Fate team and the strong community of Granted users.
