Has anyone added users to an AWS IAM group when they go on call?

We’re a small shop so people have to wear many hats. I’m trying to institute better security through user privilege limitation in AWS. But when users go on call, they need to be able to respond to incidents where they may need to follow instructions or investigate things that require permissions that might be beyond the normal privileges of their role. I’d like to have a special IAM role that grants extended privileges to the on call engineer and I’d like to have membership in that role be controlled by pagerduty, where the user is placed in the role when they go on call and removed from the role when they are off on call.

How might one go about doing this? is there any combination of webhooks and lambda functions that could do this? any easier way?

Hi there!

Thanks for reaching out!

We don’t have an equivalent in PagerDuty to AWS’ IAM roles. As I mentioned in my reply to your other post, you could use our REST API’s on-calls endpoint to see who is on call and then make adjustments to the user in AWS accordingly. If you’d like, we could submit a feature request to our Product Team around being able to configure webhooks for when users go on/off call. Please write to us directly at support@pagerduty.com and feel free to reference this post or ticket #338160, and we’d be happy to submit it for you.

Please let me know if this is helpful or you have additional questions.

Regards,

Alex Engelmann
Technical Support Specialist
PagerDuty.com

1 Like