Skip to content

ThoughtWorks-DPS/psk-aws-iam-profiles

Folders and files

NameName
Last commit message
Last commit date

Latest commit

dded358 · Jun 8, 2024
May 22, 2024
Jan 24, 2024
Jul 3, 2023
May 31, 2024
Jun 8, 2024
Mar 20, 2024
Jun 8, 2024
Apr 5, 2024
Apr 8, 2024
Apr 18, 2023
Jan 24, 2024
May 9, 2024
Apr 5, 2024
May 10, 2024
Jun 8, 2024
May 9, 2024
Jun 1, 2024
May 30, 2024
May 9, 2024
May 9, 2024
Jan 22, 2024
Apr 8, 2024
Mar 18, 2024
May 9, 2024

Repository files navigation

Thoughtworks Logo
DPS Title

psk-aws-iam-profiles

Go here for the architectural overview of an AWS-based Engineering Platform.

This pipeline manages:

Product cloud infrastructure provider service accounts
Two service accounts (machine users) are defined for use in the Engineering Platform teams AWS infratructure pipelines. The service accounts do not have any permission assigned directly but are instead added to either the non-production or the production Group as appropriate. The groups have policies attached that enable assumption of any PSKRoles in the related product accounts.

main.tf

architecture1.png

The diagram represents the typical configuration for an initial engineering platform on AWS. The PSK code will be limited to a two-account configuration for budgetary reasons.

Pipeline Roles (permissions)

Each pipeline role has a matching, named role file.

architecture2.png

about access permissions

In general, it is only the Engineering Platform product development team(s) that will have direct access to the cloud (AWS) accounts (as in directly assuming IAM roles). Customers of the platform will not have AWS IAM identities but rather will have access defined and maintained as part of the overall product capabilities through an external idp.

Even though EP product team members have direct access, apart from the Development account you should not expect to see actual human write-access taking place. All change is brought about through the software-defined process and via a service account persona.

As you can see from the above diagram, account level roles are ubiquitous. Each account used by the product has the same set of roles defined. A service account's group membership then determines which accounts the svc identity may assume any role.

See maintainer notes for detailed information.