Documentation Index
Fetch the complete documentation index at: https://docs.fastfoundation.nimble.la/llms.txt
Use this file to discover all available pages before exploring further.
Understanding the Configuration
User and access group definitions live in your Infrastructure as Code (IaC) repository as Terragrunt parameters.
There are two main building blocks:
Access groups define what users can access and the permissions they have.access_groups = [
{
name = "DevelopmentTeam"
description = "Full access for development team"
session_duration = "PT8H"
customer_managed_policies = []
inline_policies = [
{
name = "EKSClusterAccess"
statements = [
{
sid = "EKSFullAccess"
actions = ["eks:*"]
resources = ["*"]
}
]
}
]
aws_managed_policies = [
"arn:aws:iam::aws:policy/PowerUserAccess"
]
accounts_names = [
"workload-development",
"workload-staging"
]
}
]
Users represent individuals in your organization. Each user belongs to one or more groups, which determine their access:users = [
{
username = "jane.smith"
display_name = "Jane Smith"
email = "jane.smith@company.com"
given_name = "Jane"
family_name = "Smith"
groups = [
"DevelopmentTeam",
"LogsReadOnly"
]
}
]
Access Group Examples
Full administrative rights to specific accounts:{
name = "InfrastructureAdmins"
description = "Full administrative access to infrastructure"
session_duration = "PT2H"
aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
accounts_names = ["infrastructure"]
}
Developer access with custom EKS (Elastic Kubernetes Service) permissions:{
name = "DEV-Developers"
description = "Developers Access to DEV accounts."
relay_state = "https://console.aws.amazon.com/secretsmanager"
session_duration = "PT8H"
customer_managed_policies = []
inline_policies = [
{
name = "secretsManagerAccess",
statements = [
{
sid = "readwriteSecrets",
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret"
],
resources = ["*"],
conditions = [
{
test = "StringEquals",
variable = "aws:resourceTag/team",
values = ["developers"]
}
]
},
{
sid = "listSecrets",
actions = [
"secretsmanager:ListSecrets"
],
resources = ["*"]
}
]
},
]
aws_managed_policies = []
accounts_names = [
"workload-development"
]
}
Limited, read-only access for audit and compliance teams:{
name = "Auditors"
description = "Read-only access for compliance auditing"
session_duration = "PT4H"
aws_managed_policies = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
accounts_names = [
"workload-production",
"workload-development",
"security-tooling"
]
}
Best Practices
- Use descriptive names – Make it obvious what each group is for
- Follow least privilege – Grant only the permissions required
- Adjust session durations by environment – Shorter in production, longer in development
- Document group purposes – Clear descriptions prevent confusion later
- Review regularly – Periodically audit and remove unused users or groups
