Table of contents

This is for internal use by the PaaS team. Public-facing documentation is located at


Each AWS account has root account credentials, which we don’t use.

Instead we access AWS resources using IAM.

IAM Roles for VMs

We use IAM roles via intance profiles on our EC2 instances to delegate particular restricted permissions to processes running on those instances.

IAM Roles for Humans

We use separate IAM roles for users on our team to use via AWS’ assume-role feature. See the RE manual for details on how to do this. The available role ARNs that you’ll need for this are documented in paas-aws-account-wide-terrafom here

Role configuration

We manage all these IAM roles, and the corresponding policies using Terraform. The config is in the account-wide-terraform repo. This includes defining who is allowed to assume the above roles.