From Zero to Production: Building an Identity + Automation Stack for $10/mo
Senior Systems Engineer · IAM · IT Automation · Platform Engineering
Tags: IAM Engineering, IT Automation, Okta, Apache Airflow, GCP, Platform Engineering
The problem I was solving
As a Senior Systems Engineer with a decade of experience across IAM, identity governance, and IT automation, I kept running into the same challenge: it's hard to demonstrate hands-on platform skills without a live environment. Reading docs is one thing. Actually wiring Okta SCIM to a custom Flask endpoint that provisions users into Airflow in real time is something else entirely.
I also wanted a personal automation backbone — something I could use to run scheduled jobs, get Slack alerts, and build new workflows without spinning up a paid SaaS tool every time.
The goal: production-grade identity + automation stack. Constraint: keep it under $15/month, build it myself, own every layer.
The stack
| Component | Tool | Cost |
|---|---|---|
| Compute | GCP e2-medium | ~$8/mo with schedule |
| Orchestration | Apache Airflow 2.9 | Free (self-hosted) |
| Identity | Okta Integrator Free Plan | Free |
| Domain | inguva.dev (Cloudflare) | $10/yr |
| SSL | Let's Encrypt | Free |
| Notifications | Slack Webhooks | Free |
| SCIM Bridge | Custom Flask app | Runs on same VM |
| Job alerts | GitHub Actions | Free (public repo) |
How it came together
Step 1 — VM + domain
Spun up a GCP e2-medium (Ubuntu 22.04), reserved a static IP, bought inguva.dev on Cloudflare, and set up email routing to forward @inguva.dev addresses to Gmail — all free except the $10/yr domain.
Step 2 — Airflow in standalone mode
Installed Airflow 2.9.2 into a Python venv, ran it in standalone mode (single process, SQLite backend), managed by Supervisor for auto-restart. No Docker overhead — uses ~600MB RAM comfortably on the e2-medium.
Step 3 — HTTPS with Nginx + Let's Encrypt
Set up Nginx as a reverse proxy, got a free SSL cert via Certbot, and configured auto-renewal. Airflow is now live at https://airflow.inguva.dev with a valid cert.
Step 4 — Okta SSO via OIDC
Created an Okta OIDC app integration, configured Airflow's webserver_config.py with AUTH_OAUTH, and wired up the OAuth endpoints. Users can now click "Sign in with Okta" — no username/password needed.
Step 5 — Custom SCIM provisioning bridge
This was the most interesting part. Okta's SCIM 2.0 protocol sends HTTP requests to provision users — but Airflow has no native SCIM server. I wrote a lightweight Flask app that translates Okta SCIM calls into Airflow REST API calls, handling user create, update, and deactivation. When you assign someone to the Airflow app in Okta, they appear in Airflow within seconds.
Step 6 — Slack DAG for daily reports + failure alerts
Built a Python DAG that sends a daily Airflow health report to Slack every morning — VM CPU, memory, disk, uptime, and run status. Added on_failure_callback so any DAG failure triggers an instant Slack alert with a direct link to the logs.
Step 7 — LinkedIn job alerts via GitHub Actions
Wrote a Python scraper that checks LinkedIn every 3 hours for new Senior IAM / IT Automation / Atlassian Engineer roles, deduplicates against a JSON file committed to the repo, and posts new listings to Slack. Runs free on GitHub Actions.
What I learned
The SCIM bridge was the most valuable piece to build. Every enterprise IAM environment has some version of this problem: you have an identity provider and a target application that speaks a slightly different dialect. The real skill is knowing how to read the SCIM spec, intercept the protocol, and adapt it to whatever API the downstream system exposes.
I also deepened my appreciation for how much managed services abstract away. Running Airflow on a raw VM means you own the process management, SSL renewal, log rotation, and restart behavior. Supervisor, Nginx, and Certbot are unglamorous but critical — and knowing how they fit together makes you a much stronger platform engineer.
The biggest unlock: once you understand what Okta SCIM actually sends over the wire, you can provision users into almost anything — not just apps with native SCIM support.
The outcomes
$10/mo — total infrastructure cost
<1 second — Okta → Airflow user provisioning time
Every 3 hours — LinkedIn job alert cadence
0 — third-party SaaS tools needed
What's next
A few things I'm planning to add: swapping SQLite for PostgreSQL to make Airflow production-ready, setting up a GitHub Actions pipeline to auto-deploy DAGs on push, and building an Okta user activity digest DAG that pulls from the Okta System Log API and posts a weekly access report to Slack.
If you're in IAM, IT automation, or platform engineering and want to talk about any of this — reach out at chander@inguva.dev.
Built with Apache Airflow · Okta · GCP · Flask · Nginx · Let's Encrypt · GitHub Actions · Slack · Cloudflare