What are our standard roles?
Last updated
Last updated
Within each account, we create a standard set of roles.
Each role name is made up of two parts: the name of the account, and the role suffix. For example, workflow-developer has the account name workflow and the role suffix developer.
This is a list of our standard roles:
| role suffix | example role | what it allows |
|---|---|---|
admin
workflow-admin
Complete access to the account. This is a superuser role that can do anything.
developer
platform-developer
Complete access, bar a handful of destructive actions (e.g. deleting S3 buckets). This also doesn’t allow configuring IAM users.
read_only
digitisation-read_only
Provides read-only access to most of the account. This doesn't include access to secrets in Secrets Manager.
ci
identity-ci
Provides the permissions that CI needs to do things in this account (e.g. publishing Docker images to ECR). Usually used by CI instances only.