Deploy AWS Teams and Team Roles across your AWS Organization
Learn how to provision AWS teams and team roles across an AWS Organization using Atmos workflows, integrate them with AWS SSO, and generate AWS configuration files for role assumption with profiles.
Steps | |
---|---|
Install requirements | |
Vendor components | atmos workflow vendor -f identity |
Prepare AWS SSO | Click Ops |
Add your SAML provider | Click Ops |
Deploy identity components | atmos workflow deploy/all -f identity |
Reconfigure Terraform Backend | atmos workflow deploy/tfstate -f baseline |
Deploy baseline components | atmos workflow deploy -f baseline |
The identity components are designed to provision all primary user and system roles into a centralized identity account. These components are expected to be used together to provide fine-grained role delegation across the account hierarchy.
All identity components in this guide required elevated permissions to deploy, and in particular require Administrator access in core-root
and core-identity
. Assume the SuperAdmin IAM user role before continuing.
For more on SuperAdmin, see How to Create SuperAdmin user.
0 Deploy Identity Components
Deploy these components across all accounts by running the following command. Note that if any users or groups are
missing, aws-sso
will fail.
atmos workflow deploy/all -f identity
0 Reconfigure Terraform State Backend
Apply the changes from the previous step to the Terraform State Backend by running the following commands. This will grant permission for your newly deployed AWS Teams and Team Roles to access the Terraform State Backend.
atmos workflow deploy/tfstate -f baseline
0 Generate AWS Config
Once the identity components have been deployed, we will need to create local AWS configuration for these new roles and profiles. Generate those files now by running the following command from within Geodesic.
atmos workflow update-aws-config -f identity
This will generate AWS configuration to the rootfs
directory locally. Everything included in the rootfs
directory is passed to the Geodesic image when it is built. This will include the AWS configuration files, included with the aws-config-teams
file, that are needed to assume roles across the AWS Organization. In particular, we recommend setting a common AWS profile, such as acme-identity
, as the entry-point for all role assumption. That way all users can configure the same AWS profile name and be allowed to assume roles that they can access.
The AWS config script requires local files, which are generated during the deployment of the AWS Team and Team Roles components.
If you did not run these steps yourself and they are not committed to git, then you will need to rerun those components to generate these local files. For this reason, we recommend committing these generated files to git so that they are available for future use.
0 Apply Changes to Geodesic
In order to apply these updates to your Geodesic
image, exit the image and rerun make all
.
One of these configuration files will be named aws-config-teams
. This file holds local configuration for all local
user authentication to AWS. This file will be the same for both SAML and SSO users, as well as for all teams. This file
looks for a specific AWS profile for your namespace, for example acme-identity
, and uses that profile as the
entry-point for all role assumption. From this profile, all users with proper permission will be able to execute
Terraform or assume other roles across the AWS Organization.
Anytime that teams or roles are changed, rebuild AWS config
atmos workflow update-aws-config -f identity