What is an initial role?

An initial role is the first IAM role that users assume when they log into our AWS estate. It is represented by a permission set in the AWS Identity Center.

This initial role can't do anything except assume a more specific IAM role. It's a "stepping stone" into AWS.

Which initial role do you use?

The initial roles are handled by AWS Identity Center configuration for the Platform AWS account.

This is terraformed in the wellcomeorganisation-infra repository, in the Wellcome Trust GitHub organisation.

A table of groups in the Identity Center. Each group has a name (for example, 'RG_WC_Digirati_Developer') and a list of users assigned (for example, 'digirati-dev, azure_sso-saml_provider').

Everybody who can log into our AWS estate is a member of at least one of these groups.

Groups can be associated with permission sets, which applies IAM policies in a particular AWS account.

A table of permission sets in the Identity Center.').

When you log in to AWS, your initial permissions set is determined by the role you choose at the Identity Center login screen.

The identity center login screen with examples of differeing permission sets').

Examples

  1. Suppose you're a member of the RG_WC_Digital_Platform_Lead group. A permission set assigned to this group is weco-developer.

    There is only one choice of role, so when you log in to AWS, you're logged in using the weco-developer role.

  2. Suppose you're a member of the RG_WC_Digital_Platform_Lead and RG_WC_Digital_Artefactual groups. The initial roles assigned to these groups are weco-developer and weco-artefactual-developer.

    When you log in to AWS via Identity Center, you'll be offered a choice between these two roles.

Last updated