Skip to content

Requests

Lifecycle

The below diagram illustrates the lifecycle of a request

flowchart TD
    SUBMITTED[Submitted] --> PENDING_APPROVAL{Pending\nApproval}
    PENDING_APPROVAL -- Approval\ntimeout --> TIMED_OUT[Timed Out]
    PENDING_APPROVAL --> APPROVED[Approved]
    PENDING_APPROVAL --> DENIED[Denied]
    PENDING_APPROVAL -- User cancels --> CANCELED[Canceled]
    APPROVED -- Readout\ntimeout ----> TIMED_OUT
    APPROVED -- Readouts\ncompleted\nor expired --> COMPLETED[Completed]
    APPROVED -- Update\nperformed --> COMPLETED
    APPROVED --> PENDING_DELETION{Pending\nDeletion}
    APPROVED -- User cancels ----> CANCELED
    PENDING_DELETION -- Deletion\ndelay expires --> DELETE_ACCOUNT[Delete Account]
    PENDING_DELETION -- User aborts ---> DELETION_ABORTED[Deletion Aborted]
    DELETE_ACCOUNT --> COMPLETED

Flows

Request

The below diagram shows the actions performed after a request is submitted

sequenceDiagram
    participant User
    participant API
    participant Workflow
    participant DynamoDB
    participant Approvers
    autonumber
    User ->>+ API: Submit request
    Note over API: Check user permissions
    API -->> DynamoDB: Store request
    API --)+ Workflow: Start workflow
    API -->>- User: Request id
    Note over Workflow: Auto-created onboarding<br>requests are auto-approved
    Workflow ->> Approvers: Send approval request emails
    Approvers ->>+ API: Make approval decision
    API ->>- Workflow: Progress workflow
    Workflow --) DynamoDB: Record decision
    Workflow --)- User: Send decision email

Onboard Account

When onboarding an account, the API will auto-create and auto-approve a request with action ONBOARD so the user can perform a token sync. The auto-approval is valid for 48 hours by default. Once the first readout is requested, the request (by default) will only remain valid for 10 minutes or 6 readouts, whichever comes first.

Info

It is impossible for a user to create a request with action ONBOARD, as it is a reserved action that can only be set by the API during an account onboarding.

sequenceDiagram
    participant User
    participant API
    participant KMS
    participant SSM
    participant DynamoDB
    autonumber
    User ->>+ API: New account
    Note over API: Check user permissions
    API ->>+ KMS: Encrypt
    KMS -->>- API: Encrypted secret
    API --) SSM: Create new parameter
    API --) DynamoDB: Create account
    API --) DynamoDB: Auto-create onboarding request
    API -->>- User: Request id

Token Readout

Once approved, the approval is only valid for a short window (default 48 hours).

Furthermore, once the first readout has been performed, the user will have only 15 minutes (by default) to perform any additional readouts, up to a maximum of 10 readouts. If the user attempts to perform a readout after the window has expired or the maximum number of readouts has been reached, they will be denied will have to submit a new request.

sequenceDiagram
    participant User
    participant API
    participant SSM
    participant KMS
    participant DynamoDB
    autonumber
    User ->>+ API: Get token readout
    Note over API: Check if approved
    Note over API: Check if readout window<br>or max readouts exceeded
    API ->>+ SSM: Get secret
    SSM -->>- API: Encrypted secret
    API ->>+ KMS: Decrypt secret
    KMS -->>- API: Decrypted secret
    API --) DynamoDB: Record readout
    API -->>- User: Token code

Update Secret

sequenceDiagram
    participant User
    participant API
    participant KMS
    participant SSM
    participant DynamoDB
    autonumber
    User ->>+ API: New secret
    Note over API: Check if approved
    API ->>+ KMS: Encrypt
    KMS -->>- API: Encrypted secret
    API --) SSM: Store encrypted secret
    API --) DynamoDB: Complete request
    API -->>- User: Success

Delete Account

After a request to delete an account is approved, it will switch to a wait state for 30 days (by default).

At any point during the pending deletion window, the deletion can be aborted and the account restored to a working status.

Email notifications will be sent out to the requester and approvers on days 0, 10, and 20. On day 30, the account will be deleted and cannot be restored. However, the account can be onboarded again.

sequenceDiagram
    participant User
    participant Workflow
    participant SSM
    participant DynamoDB
    autonumber
    Workflow ->> Workflow: Delay deletion for X days
    Note over Workflow: Requester/approvers can abort<br>deletion anytime before delay expires
    Workflow --) SSM: Delete parameter
    Workflow --) DynamoDB: Delete account
    Workflow --) DynamoDB: Complete request
    Workflow -->> User: Send deletion confirmation emails