I’m having trouble finding the right docs/info around the security boundaries and permissions available for isolating application components and users from each other on fly.io. What are the recommended patterns for implementing the following basic capabiltiies?
- Isolated dev / production environments
- Least-permission “role” accounts for deployment, debugging, etc
The base-line requirements that I’m trying to implement is that:
- developers have full access to the dev environment to deploy/monitor/inspect, but only read-only access to the production environment
- all deployments and changes to the production environment being driven from a “role” account that pushes from our trusted CI/CD system. Developers should not be able to push or modify anything in the production environment.
- sensitive components in production (e.g. token store, vault component) can be protected from riskier components (e.g. web frontend).
I cannot find any documentation on what the security guarantees / isolation boundaries between apps in the same organisation are. Other than ports exposed on the 6PN what access do apps within an organisation have to each other? It sounds like logs are shared at some layer, but I cannot find any other details on the security/isolation guarantees provided between apps within an organisation - is use-case #3 a supported one for apps, or is the intent here that sensitive components would go in a separate organisation?
Likewise, how do I lock down a developer account from being able to have write/modify access to an app or organisation? This doesn’t seem to be possible from any of the docs I can find - have I missed something?