Deploy AWS Teams and Team Roles across your AWS Organization

Learn how to provision AWS teams and team roles across an AWS Organization using Atmos workflows, integrate them with AWS SSO, and generate AWS configuration files for role assumption with profiles.

Steps
Install requirements
Vendor components	atmos workflow vendor -f identity
Setup Identity Center	Click Ops
Add your SAML provider	Click Ops
Deploy identity components	atmos workflow deploy/all -f identity
Reconfigure Terraform Backend	atmos workflow deploy/tfstate -f baseline
Deploy baseline components	atmos workflow deploy -f baseline

The identity components are designed to provision all primary user and system roles into a centralized identity account. These components are expected to be used together to provide fine-grained role delegation across the account hierarchy.

Important:

All identity components in this guide required elevated permissions to deploy, and in particular require Administrator access in core-root and core-identity. Assume the SuperAdmin IAM user role before continuing.

For more on SuperAdmin, see How to Create SuperAdmin user.

1 Vendor Identity Components

Pull the Identity components into your local repository.

Commands

vendor:

These are the commands included in the vendor workflow in the examples/snippets/stacks/workflows/identity.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow vendor -f identity 

2 Setup Identity Center

Follow the Setup Identity Center guide to enable AWS IAM Identity Center and connect your IdP.

3 Deploy Identity Components

Deploy these components across all accounts by running the following command. Note that if any users or groups are missing, aws-sso will fail.

Commands

deploy/all:

These are the commands included in the deploy/all workflow in the examples/snippets/stacks/workflows/identity.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/all -f identity 

Important:

Once the roles are deployed, the Terraform State Backend should be reconfigured to use the newly provisioned roles.

4 Reconfigure Terraform State Backend

Apply the changes from the previous step to the Terraform State Backend by running the following commands. This will grant permission for your newly deployed AWS Teams and Team Roles to access the Terraform State Backend.

Commands

deploy/tfstate:

These are the commands included in the deploy/tfstate workflow in the examples/snippets/stacks/workflows/baseline.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/tfstate -f baseline 

5 Generate AWS Config

Once the identity components have been deployed, we will need to create local AWS configuration for these new roles and profiles. Generate those files now by running the following command from within Geodesic.

Commands

update-aws-config:

These are the commands included in the update-aws-config workflow in the examples/snippets/stacks/workflows/identity.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow update-aws-config -f identity 

This will generate AWS configuration to the rootfs directory locally. Everything included in the rootfs directory is passed to the Geodesic image when it is built. This will include the AWS configuration files, included with the aws-config-teams file, that are needed to assume roles across the AWS Organization. In particular, we recommend setting a common AWS profile, such as acme-identity, as the entry-point for all role assumption. That way all users can configure the same AWS profile name and be allowed to assume roles that they can access.

Important:

The AWS config script requires local files, which are generated during the deployment of the AWS Team and Team Roles components.

If you did not run these steps yourself and they are not committed to git, then you will need to rerun those components to generate these local files. For this reason, we recommend committing these generated files to git so that they are available for future use.

6 Apply Changes to Geodesic

In order to apply these updates to your Geodesic image, exit the image and rerun make all.

One of these configuration files will be named aws-config-teams. This file holds local configuration for all local user authentication to AWS. This file will be the same for both SAML and SSO users, as well as for all teams. This file looks for a specific AWS profile for your namespace, for example acme-identity , and uses that profile as the entry-point for all role assumption. From this profile, all users with proper permission will be able to execute Terraform or assume other roles across the AWS Organization.

Important:

Anytime that teams or roles are changed, rebuild AWS config

Commands

update-aws-config:

These are the commands included in the update-aws-config workflow in the examples/snippets/stacks/workflows/identity.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow update-aws-config -f identity