Skip to main content

Deploy AWS Teams and Team Roles across your AWS Organization

Learn how to provision AWS teams and team roles across an AWS Organization using Atmos workflows, integrate them with AWS SSO, and generate AWS configuration files for role assumption with profiles.

Steps
Install requirements
Vendor componentsatmos workflow vendor -f identity
Prepare AWS SSOClick Ops
Add your SAML providerClick Ops
Deploy identity componentsatmos workflow deploy/all -f identity
Reconfigure Terraform Backendatmos workflow deploy/tfstate -f baseline
Deploy baseline componentsatmos workflow deploy -f baseline

The identity components are designed to provision all primary user and system roles into a centralized identity account. These components are expected to be used together to provide fine-grained role delegation across the account hierarchy.

Important:

All identity components in this guide required elevated permissions to deploy, and in particular require Administrator access in core-root and core-identity. Assume the SuperAdmin IAM user role before continuing.

For more on SuperAdmin, see How to Create SuperAdmin user.

1 Deploy Identity Components

Deploy these components across all accounts by running the following command. Note that if any users or groups are missing, aws-sso will fail.

These are the commands included in the deploy/all workflow in the examples/snippets/stacks/workflows/identity.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀
Important:
Once the roles are deployed, the Terraform State Backend should be reconfigured to use the newly provisioned roles.

2 Reconfigure Terraform State Backend

Apply the changes from the previous step to the Terraform State Backend by running the following commands. This will grant permission for your newly deployed AWS Teams and Team Roles to access the Terraform State Backend.

These are the commands included in the deploy/tfstate workflow in the examples/snippets/stacks/workflows/baseline.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

3 Generate AWS Config

Once the identity components have been deployed, we will need to create local AWS configuration for these new roles and profiles. Generate those files now by running the following command from within Geodesic.

These are the commands included in the update-aws-config workflow in the examples/snippets/stacks/workflows/identity.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

This will generate AWS configuration to the rootfs directory locally. Everything included in the rootfs directory is passed to the Geodesic image when it is built. This will include the AWS configuration files, included with the aws-config-teams file, that are needed to assume roles across the AWS Organization. In particular, we recommend setting a common AWS profile, such as acme-identity, as the entry-point for all role assumption. That way all users can configure the same AWS profile name and be allowed to assume roles that they can access.

Important:

The AWS config script requires local files, which are generated during the deployment of the AWS Team and Team Roles components.

If you did not run these steps yourself and they are not committed to git, then you will need to rerun those components to generate these local files. For this reason, we recommend committing these generated files to git so that they are available for future use.

4 Apply Changes to Geodesic

In order to apply these updates to your Geodesic image, exit the image and rerun make all.

One of these configuration files will be named aws-config-teams. This file holds local configuration for all local user authentication to AWS. This file will be the same for both SAML and SSO users, as well as for all teams. This file looks for a specific AWS profile for your namespace, for example acme-identity , and uses that profile as the entry-point for all role assumption. From this profile, all users with proper permission will be able to execute Terraform or assume other roles across the AWS Organization.

Important:

Anytime that teams or roles are changed, rebuild AWS config

These are the commands included in the update-aws-config workflow in the examples/snippets/stacks/workflows/identity.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀