Go here for the architectural overview of an AWS-based Engineering Platform.
This pipeline manages:
Product cloud infrastructure provider service accounts
Two service accounts (machine users) are defined for use in the Engineering Platform teams AWS infratructure pipelines. The service accounts do not have any permission assigned directly but are instead added to either the non-production or the production Group as appropriate. The groups have policies attached that enable assumption of any PSKRoles in the related product accounts.
main.tf
The diagram represents the typical configuration for an initial engineering platform on AWS. The PSK code will be limited to a two-account configuration for budgetary reasons.
Pipeline Roles (permissions)
Each pipeline role has a matching, named role file.
In general, it is only the Engineering Platform product development team(s) that will have direct access to the cloud (AWS) accounts (as in directly assuming IAM roles). Customers of the platform will not have AWS IAM identities but rather will have access defined and maintained as part of the overall product capabilities through an external idp.
Even though EP product team members have direct access, apart from the Development account you should not expect to see actual human write-access taking place. All change is brought about through the software-defined process and via a service account persona.
As you can see from the above diagram, account level roles are ubiquitous. Each account used by the product has the same set of roles defined. A service account's group membership then determines which accounts the svc identity may assume any role.
See maintainer notes for detailed information.