Introducing IAM

Polar Signals Cloud initially had a straightforward authentication and authorization model, where human users could either perform all actions or just query data, and machines were limited to specific project-based operations. However, this setup fell short for enterprise customers with diverse requirements, such as managing billing or accessing only certain projects. To address this, Polar Signals developed a more flexible identity and access management (IAM) system, where every action has distinct permissions bundled into roles that can be associated with identities, either organization-wide or project-specific. Humans authenticate via OIDC, while machines use service accounts. The new system includes predefined roles reflecting common use cases, and all previous permissions have been migrated, with new role creation under the old system disabled. Migration guides are available for different use scenarios, and while there is no end-of-life date for the old project tokens, users are encouraged to upgrade. The development benefited from contributions by Turbopuffer and advice from Eric Chiang of Oblique.