Team Mode

Team Mode allows Audex to operate as a centralized HTTP API server for credential issuance across a team, with features like SSO, multi-party approvals, rate limiting, and high availability.

Server Basics

Run Audex as a long-lived server instead of a CLI tool:

# Start the server
tryaudex server --listen 0.0.0.0:8080

# Request credentials via HTTP
curl -X POST http://localhost:8080/credentials \
  -H "Content-Type: application/json" \
  -d '{
    "allow": "s3:GetObject",
    "ttl": "15m",
    "provider": "aws"
  }'

# Response:
# {
#   "session_id": "a1b2c3d4-e5f6-4748-b9c0-d1e2f3a4b5c6",
#   "provider": "aws",
#   "credentials": {
#     "aws_access_key_id": "ASIA...",
#     "aws_secret_access_key": "...",
#     "aws_session_token": "..."
#   },
#   "expires_at": "2024-01-01T12:15:00Z"
# }

Server Configuration

Create a server-config.toml file:

[server]
listen = "0.0.0.0:8080"
max_ttl = "1h"
default_ttl = "15m"

[audit]
backend = "jsonl"  # or "postgres", "sqlite"
path = "/var/log/audex/audit.jsonl"

[credentials]
store = "keyring"  # or "vault"

Then start with:

tryaudex server --config server-config.toml

Authentication (SSO)

Enable SAML 2.0 or OpenID Connect so team members authenticate with their identity provider:

SAML 2.0

[sso]
enabled = true
type = "saml"
entity_id = "https://audex.company.com"
idp_sso_url = "https://idp.company.com/sso"
idp_cert_path = "/etc/audex/idp-cert.pem"
assertion_consumer_service_url = "https://audex.company.com/acs"

Start server:

tryaudex server --config server-config.toml --enable-sso

Team members visit https://audex.company.com/login, authenticate with company SSO, and receive a session token.

OpenID Connect

[sso]
enabled = true
type = "oidc"
provider_url = "https://auth.company.com"
client_id = "audex-client-id"
client_secret = "audex-client-secret"
redirect_uri = "https://audex.company.com/oidc/callback"
scopes = ["openid", "profile", "email"]

Approval Workflows

Require one or more approvers before issuing credentials:

Single-Party Approval

[approvals]
enabled = true
required_approvals = 1
approver_roles = ["admin", "security"]

When someone requests credentials:

Request is created with status pending_approval
An approver reviews the request (action, TTL, budget)
Approver clicks “Approve” or “Deny”
If approved, credentials are issued
Audit log records who requested, who approved, and at what time

Multi-Party Approval

[approvals]
enabled = true
required_approvals = 2
approver_roles = ["security", "compliance"]
sensitive_actions = ["iam:*", "*:Delete*"]

Requests involving sensitive actions require two independent approvals (from different roles).

Approval API

# List pending requests
curl http://localhost:8080/approvals/pending \
  -H "Authorization: Bearer $TOKEN"

# Approve a request
curl -X POST http://localhost:8080/approvals/a1b2c3d4/approve \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"comment": "Approved for data migration task"}'

# Deny a request
curl -X POST http://localhost:8080/approvals/a1b2c3d4/deny \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"comment": "TTL too long"}'

Rate Limiting

Prevent abuse by limiting credential requests per identity:

[rate_limiting]
enabled = true

[[rate_limiting.rules]]
identity = "team:data-engineering"
max_requests = 100
window = "1h"
max_concurrent = 5

[[rate_limiting.rules]]
identity = "team:devops"
max_requests = 200
window = "1h"
max_concurrent = 10

When a rate limit is exceeded, the server returns HTTP 429:

{
  "error": "rate_limit_exceeded",
  "retry_after": 123
}

Credential Broker API

For team deployments with multiple Audex servers, use the credential broker for batching and reliability:

# Request credentials from broker
curl -X POST http://broker.company.com:8080/credentials/batch \
  -H "Content-Type: application/json" \
  -d '[
    {
      "allow": "s3:GetObject",
      "ttl": "15m",
      "provider": "aws"
    },
    {
      "allow": "storage.objects.get",
      "ttl": "15m",
      "provider": "gcp"
    }
  ]'

# Response includes credentials for all providers

The broker:

Routes requests to healthy Audex instances
Caches successful responses
Retries failed requests
Validates credential freshness before returning

Role Mapping

Map team members or service accounts to IAM roles / cloud identities:

[role_mapping]
enabled = true

[[role_mapping.rules]]
user_email = "alice@company.com"
aws_role_arn = "arn:aws:iam::123456789012:role/DataEngineer"
gcp_service_account = "data-eng@project.iam.gserviceaccount.com"
azure_object_id = "12345678-1234-1234-1234-123456789012"

[[role_mapping.rules]]
group = "team:devops"
aws_role_arn = "arn:aws:iam::123456789012:role/DevOpsTeam"
gcp_service_account = "devops@project.iam.gserviceaccount.com"

When a user requests credentials, Audex automatically uses their mapped role without requiring --role-arn.

High Availability

Redis-Backed Sessions

For team deployments, store sessions in Redis for cross-instance access:

[session_store]
backend = "redis"
url = "redis://localhost:6379"
ttl = "24h"

Redis Leader Election

Distribute work across multiple Audex server instances using Redis SET NX:

[leader_election]
enabled = true
backend = "redis"
redis_url = "redis://localhost:6379"
lock_name = "audex-leader"
lock_ttl = "30s"

Only the leader instance:

Processes CloudTrail learning jobs
Runs compliance report generation
Performs budget cap checks

etcd Support

For Kubernetes clusters, use etcd instead of Redis:

[session_store]
backend = "etcd"
endpoints = ["http://etcd-1:2379", "http://etcd-2:2379"]

[leader_election]
backend = "etcd"
endpoints = ["http://etcd-1:2379", "http://etcd-2:2379"]

Database Backends

For audit logs and compliance, use PostgreSQL or SQLite:

[audit]
backend = "postgres"
connection_string = "postgresql://user:pass@localhost/audex"

# Auto-migrate schema on startup
auto_migrate = true

# Retention policy
retention_days = 90

Monitoring & Observability

Prometheus Metrics

Enable metrics export for team-wide monitoring:

tryaudex server --listen 0.0.0.0:8080 --metrics-port 9090

Metrics include:

Metric	Type	Description
`audex_sessions_total`	Counter	Total sessions created
`audex_sessions_active`	Gauge	Currently active sessions
`audex_credentials_issued`	Counter	Total credentials issued
`audex_api_latency_seconds`	Histogram	HTTP request latency
`audex_budget_spent_usd`	Counter	Total spend (advisory)
`audex_approvals_pending`	Gauge	Pending approval requests

Scrape with Prometheus:

scrape_configs:
  - job_name: audex
    static_configs:
      - targets: ['localhost:9090']

OpenTelemetry

Export traces to your observability backend:

[telemetry]
otlp_endpoint = "http://localhost:4317"
service_name = "audex-server"
trace_sample_rate = 1.0

Audex will emit traces for:

Session creation
Credential issuance
Approval workflows
CloudTrail queries
Database operations

Alerting Examples

groups:
  - name: audex
    rules:
      - alert: AudexHighErrorRate
        expr: rate(audex_api_errors_total[5m]) > 0.05
        annotations:
          summary: "Audex API error rate > 5%"

      - alert: AudexBudgetExceeded
        expr: audex_budget_spent_usd > audex_budget_limit_usd
        annotations:
          summary: "Team has exceeded budget"

      - alert: AudexNoHealthyInstances
        expr: count(up{job="audex"}) == 0
        annotations:
          summary: "All Audex server instances are down"

Compliance & Audit

Audit Trail

All requests and approvals are logged to an append-only audit trail:

{
  "timestamp": "2024-01-01T12:00:00Z",
  "event_type": "credential_requested",
  "user": "alice@company.com",
  "action": "s3:GetObject",
  "ttl": "15m",
  "provider": "aws",
  "status": "pending_approval"
}

Export for compliance:

curl http://localhost:8080/audit/export?format=json \
  -H "Authorization: Bearer $TOKEN" > audit.json

# Also supports format=csv

Compliance Reports

Generate SOC2 / ISO 27001 reports:

curl http://localhost:8080/compliance/report?type=soc2 \
  --output soc2-report.pdf

Reports include:

Number of sessions and duration distribution
Access by role/team
Approval workflow metrics
Budget compliance
Denied requests and reasons

Deployment

Docker

FROM rust:latest as builder
WORKDIR /src
COPY . .
RUN cargo build --release -p audex-cli

FROM debian:bookworm-slim
COPY --from=builder /src/target/release/tryaudex /usr/local/bin/
RUN apt-get update && apt-get install -y ca-certificates
CMD ["tryaudex", "server", "--config", "/etc/audex/server-config.toml"]

docker run -d \
  --name audex-server \
  -p 8080:8080 \
  -v /etc/audex:/etc/audex \
  -e AUDEX_ROLE_ARN="arn:aws:iam::123456789012:role/AudexServer" \
  audex:latest

Kubernetes

apiVersion: apps/v1
kind: Deployment
metadata:
  name: audex-server
spec:
  replicas: 3
  selector:
    matchLabels:
      app: audex
  template:
    metadata:
      labels:
        app: audex
    spec:
      serviceAccountName: audex
      containers:
      - name: audex
        image: audex:latest
        ports:
        - containerPort: 8080
        - containerPort: 9090  # metrics
        env:
        - name: AUDEX_ROLE_ARN
          valueFrom:
            secretKeyRef:
              name: audex-config
              key: role-arn
        volumeMounts:
        - name: config
          mountPath: /etc/audex
          readOnly: true
      volumes:
      - name: config
        configMap:
          name: audex-server-config

Best Practices

Always use SSO: Authenticate users through your identity provider, not hardcoded tokens.
Enable approvals for sensitive actions: Require approval for IAM, EC2 termination, database deletion, etc.
Use Redis/etcd for HA: Don’t rely on a single instance.
Monitor via Prometheus: Set up alerting for errors, budget overruns, and instance health.
Audit to immutable storage: Forward audit logs to S3 (with Object Lock) or a SIEM.
Rate limit by team: Prevent one team from consuming all credentials.
Rotate credentials frequently: Use short TTLs (15m default), rotate regularly.
Review approvals regularly: Look for patterns of approvers always approving, or abuse patterns.