I did look through both the docs and this community, and unfortunately, I’m not finding clear answers. So if you don’t mind, some questions:
Suppose an employee loses his/her laptop.
What action am I supposed to take in the UI? I see a remove user, but nothing else.
How do I clear all tokens or session cookies or permissions associated with that user?
How do I verify this has been successfully done?
Is there any way to review all actions taken by a user within a time period w/o shipping those logs off to a log platform and setting up that dashboard externally?
I saw on the forum that there is a wg list command that I can use. Do you have a maintained list of all the places / commands I need to run to verify that an account has zero access?
Suppose I created a token via fly auth token (as per the instructions on setting up a log shipper):
What is the lifetime of that fly token?
Is it bound to the user or to the project?
Why doesn’t it show up in Organization → Tokens for any organization I’m part of?
How would I detect what is using it? I created or accessed, I’m not sure, the token while setting up a log shipper.
How is that different from the tokens listed under Account → Access Tokens?
How would I revoke tokens associated w/ a user?
Can any user who can see a project create tokens?
Are there logs on token creation? Creating and revoking an org token did not seem to generate anything, or maybe I have it misconfigured?
Just a quick note that this sparked an internal discussion which is why nobody jumped in and spitballed an answer. We’ll get something written up here ASAP. This was a super useful post, thank you for writing it.
There are a lot of questions here so I’m going to try answer them all generally and then feel free to follow up with questions on anything which you still need clarifications on. If you’re after a token just for the log shipper you can generate a read only token scoped to your org with fly tokens create readonly <org-slug>.
If you’re worried someone malicious has gained access to an employee’s laptop there are 3 credentials you need to revoke to remove access to your organizations:
Remove the user from your orgs.
Delete any WireGuard peers they’ve created in your orgs. These can be found in fly wg list
Revoke any org and app tokens they’ve created. These can be found and revoked through fly tokens list -s org or the revoke button in the UI.
Neither fly wg list or fly tokens list -s org list who created the token or WireGuard Peer this can only be seen for tokens in the UI. I’m going to look into adding these to the cli ASAP.
For fly log shipper you can generate a scoped macaroon token with appropriate caveats with FLY_API_TOKEN=$(fly tokens org personal) flyctl tokens attenuate -f caveats.json and the following caveats.json. Log shipper only sends your application logs.
Audit logs are not available to users, so currently there is no way for you to see the actions a user in your org has taken. It’s something myself and others are working on through, we just can’t make any promises as to when it’ll be ready for you to use.
Thanks a bunch for your help. I think I have what I need for our internal runbook re: someone leaving their laptop in the car and getting it jacked.
re: audit logs, just in case it wasn’t obvious, our use case: I just want to stream them to a log viewer and be able to review at any actions taken by an account in the time window between losing control of an endpoint with creds on it and me resetting the account. 99.9% it’s just theft, but I want to be able to make sure.
one Q: did you intend to attach a “caveats.json”? ty
Sorry I was looking to some caveats but realised that the org read only token already gets you 90% of the way there and forgot to remove that from my answer.
You can generate it with fly tokens create readonly <org-slug>.
Streaming audit logs to a 3rd party is a bit further down the line but definitely on the radar. We should have some audit logs available in the organisation dashboard soon!
