Listing Fastly users that can access a particular service
I was recently to supply a list of non-superuser user accounts that could access a given Service ID in Fastly, and what their role and permission was. This can be achieved with the Fastly CLI and command line utilities like jq.
I was recently to supply a list of non-superuser user accounts that could access a given Service ID in Fastly, and what their role and permission was.
The Fastly UI is not terribly useful for doing this, if your account is sufficiently large. At present, you would need to enumerate every single user, visit their access controls page, and then review which services they can access, and the permission level granted.
Users can be granted a range of roles, and within the engineer
role can be granted permissions as a service ID level.
Rather than do this by hand (on top of taking loads of time, it would be prone to human error), I wanted to work out how to achieve this through programmatic means.
Step 1 - Setup Fastly CLI
This tool is invaluable for dealing with Fastly on the command line. Installation instructions can be found on Fastly's website.
I then configure the CLI tool with environment variables in my ~/.zshrc
:
Step 2 - List service auth
This will list all user accounts that have access to a particular service ID $FASTLY_SERVICE_ID
:
N.B. This does not include users with access to all services (such as superuser
).
The output will be similar to:
Step 3 - List users
Having access to only the user ID is not that great, we still need to match this to a users email address
The output will be similar to:
Step 4 - Joining the 2 JSON files together
We now have 2 JSON files, that we need to merge, based on a shared key id
and it's value. We can use native JOIN
and INDEX
in jq
to do this (see the stackoverflow post):
The output is now pretty much perfect
You can make a CSV (with header row) with some additional effort (see the stackoverflow post):
$ jq 'JOIN(INDEX(inputs[];.id);.[];.id;add)' auth.json user.json | jq -s '.' | jq -r '(map(keys) | add | unique) as $cols | map(. as $row | $cols | map($row[.])) as $rows | $cols, $rows[] | @csv'
"created","email","id","locked","permission","role","tfa"
"2022-09-20T13:37:43Z","somebody@example.com","16Sw3VMRzrXXXXLQfL6aen",false,"purge_all","engineer",true
"2022-05-10T23:29:30Z","anotherperson@example.com","ZFVW99lVnYXXXXbohCv82",false,"purge_all","engineer",true
You could even turn this into a giant single one liner if you want, but I am happy with this being a multi-step process.