Multi-user external setup

Overview

This is a tutorial in connection with the multi-user framework of Juju. See both Working with multiple users and External users for background information.

This short tutorial will show how to configure a controller to accept user connections based on authentication performed by a remote online service.

The following topics will be covered:

  • Controller creation
  • Login controller access
  • External user login

Controller creation

Duration: 01:00

We’ll begin by adding credentials and then creating an AWS-based controller:

juju add-credential aws -f credentials.yaml
juju bootstrap --config identity-url=https://api.jujucharms.com/identity --config allow-model-access=true aws aws-sso

In the above the credentials file contains a single credential for the ‘aws’ cloud, allowing it to become the default credential in the subsequent bootstrap command.

The key ‘identity-url’ gives the remote authentication service and the key ‘allow-model-access’ bypasses a local user check when a model connection is attempted by a user.

Login controller access

Duration: 01:00

An external user is not granted controller access of ‘login’ out of the box. It needs to be done manually.

Assuming a username of ‘javierlarin72’, the syntax to use is the following:

juju grant javierlarin72@external login

Note the special use of the qualifier ‘@external’.

External user login

Duration: 03:00

To have the external user log in to controller ‘aws-sso’, the following is done, presumably on a separate client system:

juju login -u javierlarin72@external -c aws-sso 

You should be provided with a URL that will lead you to the identity service. This will allow you to authenticate the user.

Sample output:

Opening an authorization web page in your browser.
If it does not open, please open this URL:
https://api.jujucharms.com/identity/v1/login?waitid=d5ef4c371a6f517984dc5f2d2f7507a2
Couldn't find a suitable web browser!
Set the BROWSER environment variable to your desired browser.
welcome, javierlarin72@external. You are now logged into "aws-sso".

All done!

1 Like