Founded in 2012, Stackdriver provides a monitoring service for cloud-powered applications, enabling its customers to track performance and availability of their cloud services. The company’s tools relieve the burden associated with patchwork monitoring solutions, nip availability and performance problems in the bud, and enables customers to deploy their DevOps teams strategically rather than tactically. Stackdriver customers include Smugmug, 99designs, Vocalocity, Extreme Reach, 8k Miles, and Chopra Center. The company was founded by Izzy Azeri and Dan Belcher and is based in Boston, Mass.
When Stackdriver opened its doors, the company used a general solution that monitored many cloud providers. But as its business grew, the company needed to scale its business to meet demand. Customers included some of the hottest web properties in the US, so finding a cloud provider that would scale with Stackdriver was critical. “We had just finished our Series-B financing round, and we were developing a free trial to show customers what Stackdriver could do for them,” Belcher says. “We needed a high-quality experience right from the very beginning, including for the trial period.” The company needed a solution that offered rapid deployment—its customers needed to be able to quickly access the cloud, collect information about the services and resources that are being used, and generate relevant dashboards. “We needed a way to gather information from multiple accounts in a simple and straightforward way—and most critically, we needed a full-featured identity service that scaled as fast as our business,” Belcher says.
Stackdriver uses Amazon Web Services (AWS) Identity and Access Management (IAM) to access AWS accounts on behalf of their customers. An IAM best practice is to use cross-account access, which grants an IAM user in one AWS account access to resources in another AWS account. Customers use cross-account access to provide Stackdriver with temporary and limited access to their AWS account(s), enabling Stackdriver to gather data for analysis. See Figure 1 for an illustration.
The customer creates an IAM role that grants Stackdriver specific permissions in the customer's account. When Stackdriver needs to perform monitoring operations, they run a process that assumes the role, giving temporary and limited access to the customer’s account.
Stackdriver doesn't require long-term credentials for the customer's account, like an access key for the root account or for an IAM user in the account. “That’s key for us,” Belcher says. “If we needed to use long-term credentials, that could have security impacts to our customers and prospects—it’s not a good idea to provide secret keys to a third party. We would need to support key invalidation and rotation to uphold customer-specific security policies.” But by using IAM, if customers decide to discontinue using the service, they can simply delete the role they set for Stackdriver in their IAM console.
Using AWS makes it easier for Stackdriver to deploy its monitoring tools for customers by obtaining restricted access to customer accounts expediently and securely. “Our customers can get up and running within two minutes, completely on their own, instead of having to engage with our support team,” Belcher says. “AWS makes it possible for us to provide our customers with self-service trials that can are easy to set up and run. We can scale the trials quickly, no matter where our customers are located.”
Stackdriver queries AWS APIs for information and metrics on more than 250,000 resources across 400-plus customer accounts every few minutes—and those numbers will scale several-fold in 2014. “Milliseconds count when you are operating at this scale, and IAM is up to the task, enabling fast, secure access management for Stackdriver and their customers,” Belcher says.
Since Stackdriver adopted AWS, hundreds of its customers monitor their core customer-facing applications on AWS. “Given that we’re a new player in the space, it is a huge benefit to us that customers can grant the access that Stackdriver needs for monitoring without granting full control over their environment,” Belcher concludes.
To learn more about AWS Identity and Access Management (IAM), visit our IAM details page: http://aws.amazon.com/iam/.