What is an initial role?

An initial role is the first IAM role that users assume when they log into our AWS estate. It is represented by a permission set in the AWS Identity Center.

This initial role can't do anything except assume a more specific IAM role. It's a "stepping stone" into AWS.

Which initial role do you use?

The initial roles are handled by for the Platform AWS account.

This is terraformed in the wellcomeorganisation-infra repository, in the Wellcome Trust GitHub organisation.

Everybody who can log into our AWS estate is a member of at least one of these groups.

Groups can be associated with permission sets, which applies IAM policies in a particular AWS account.

When you log in to AWS, your initial permissions set is determined by the role you choose at the Identity Center login screen.

Examples

1. Suppose you're a member of the RG_WC_Digital_Platform_Lead group. A permission set assigned to this group is weco-developer.

   There is only one choice of role, so when you log in to AWS, you're logged in using the weco-developer role.

2. Suppose you're a member of the RG_WC_Digital_Platform_Lead and RG_WC_Digital_Artefactual groups. The initial roles assigned to these groups are weco-developer and weco-artefactual-developer.

   When you log in to AWS via Identity Center, you'll be offered a choice between these two roles.