[cddotdotslash]

I can see the value, but to do the things you're describing, the AI needs to be given fairly highly-privileged credentials.

> Right now, Datafruit receives read-only access to your infrastructure

> "Grant @User write access to analytics S3 bucket for 24 hours" > -> Creates temporary IAM role, sends least-privilege credentials, auto-revokes tomorrow

These statements directly conflict with one another.

So it needs "iam:CreateRole," "iam:AttachPolicy," and other similar permissions. Those are not "read-only." And, they make it effectively admin in the account.

What safeguards are in place to make sure it doesn't delete other roles, or make production-impacting changes?

[nickpapciak]

Ahh. To clarify, changes like granting users access would be done by our agent modifying IaC, so you would still have to manually apply the changes. Every potentially destructive change being an IaC change helps allow the humans to always stay in the loop. This admittedly makes the agents a little more annoying to work with, but safer.

[Kwpolska]

So you’re modifying Terraform? How is your tool better than just using an AI-enabled IDE and asking it to apply the change?

How is the auto-revoke handled? Will it require human intervention to merge a PR/apply the Terraform configuration, or will it do it automatically?

[nickpapciak]

Lots of people have asked us this! We try to do more than just being an AI-enabled IDE by giving the agent access to your infrastructure and observability tools. So you can query over your AWS, get information about metrics over the past few days, etc etc. We also plan to integrate with more DevOps tools as our customers ask for them. We also try to be less like an IDE, and more like an autonomous agent. We've noticed that DevOps engineers actually like being engineers, and enjoy some infrastructure tasks, while there are others that they would rather automate away. Not sure if you have experienced this sentiment?

Also, auto-revoke right now can be handled by creating a role in Terraform that can be assumed and expires after a certain time. But we’re exploring deeper integrations with identity providers like Okta to handle this better.

[OliverGuy]

I can put some AWS Creds in my terminal and Claude Code is perfectly happy writing AWS CLI commands (or whole python scripts if necessary) to work out what it needs to about my infrastructure.