Skip to main content


Public Oath

  1. There is dev role and a role with the name of each product but prefixed with prod_. Each role has a KMS key with the same name, and can access the keys of other less privileged roles, prod_common being the super-admin, and dev the less privileged user)
  2. There is an erika.bayona user.
  3. The ARN of the previous entities (IAM roles, IAM users, and KMS keys) is constant over time.


  1. The "users" component of "Common" owns the authentication and authorization within Amazon Web Services (AWS).

  2. We divide our AWS account into production and development.

    For development, we have an IAM role called dev.

    For production, we have an IAM role named as the product, prefixed with prod_, for example: prod_integrates. The IAM role called prod_common is the super-admin role, and it's more privileged than any other role.

    We have one external user as part of our subscription with Clouxter called erika.bayona.

  3. Secrets are encrypted and managed with Mozilla's Secrets OPerationS (SOPS).

    Each product has a KMS key on Amazon Web Services (AWS) that is used to encrypt and decrypt the SOPS file,

    • The prod_common role can access any product KMS key.
    • All prod_* roles can access the dev KMS key, and the KMS key of their respective product.
    • The dev role can access the dev KMS key only.

You can right-click on the image below to open it in a new tab, or save it to your computer.

Architecture of Common's /users


Please read the contributing page first.