- There is
devrole and a role with the name of each product but prefixed with
prod_. Each role has a KMS key with the same name, and can access the keys of other less privileged roles,
prod_commonbeing the super-admin, and
devthe less privileged user)
- There is an
- The ARN of the previous entities (IAM roles, IAM users, and KMS keys) is constant over time.
The "users" component of "Common" owns the authentication and authorization within Amazon Web Services (AWS).
We divide our AWS account into production and development.
For development, we have an IAM role called
For production, we have an IAM role named as the product, prefixed with
prod_, for example:
prod_integrates. The IAM role called
prod_commonis the super-admin role, and it's more privileged than any other role.
We have one external user as part of our subscription with Clouxter called
Secrets are encrypted and managed with Mozilla's Secrets OPerationS (SOPS).
prod_commonrole can access any product KMS key.
prod_*roles can access the
devKMS key, and the KMS key of their respective product.
devrole can access the
devKMS key only.
You can right-click on the image below to open it in a new tab, or save it to your computer.
Please read the contributing page first.