Skip to main content

One post tagged with "aws"

View All Tags

· 3 min read



  • A company size of 200 people seperated into 10 teams.
  • Administer can have the company-wide policy to limit AWS account.
  • Easy way to switch user to the other team.
  • Single login page for user to login
  • Each team wants its own access to its resources.
  • Also, different environment for specific purpose.
  • Sometimes, they need temporarily cooperation between teams.
  • For auditing, bills should be seperated by each team.



graph LR R[Organization root] --> C[Company OU] C[Company OU] --> A1[Team A production AWS account] C[Company OU] --> A2[Team A staging AWS account] C[Company OU] --> B1[Team B production AWS account] C[Company OU] --> B2[Team B staging AWS account] R[Organization root] --> P[playground AWS account]

Company OU will whitelist AWS resource and region. Playground account has no limitation on AWS resource. Periodically clean resource of playground account.


AWS Tag is another solution to have more detail bill within AWS account.


Create terraform IAM access key and attach AdministratorAccess policy as Terraform repo's credential.

graph LR; A[A AWS account] --> AT[A Terraform repo]; AT[A Terraform repo] --> A[A AWS account]; B[B AWS account] --> BT[B Terraform repo]; BT[B Terraform repo] --> B[B AWS account];



Recommended using SSO to manage AWS Accounts, otherwise you will have to manage your account from different place.

Google apps SSO


You have to have GSuite super administrator access.

Follow the How to Set Up Federated Single Sign-On to AWS Using Google Apps instruction

Then, you will find out it's one-to-one mapping between Google account and IAM role.

We want mapping of Google group and IAM role.

Refer repo

By using GSuite Admin API

Iterate the Google group, for each Google account, map to corresponding IAM role


graph LR; A[A AWS account admin group] --> AA[Administer role of A account]; A[A AWS account readonly group] --> AR[readonly role of account]; B[B AWS account admin group] --> BA[Administer role of A account]; B[B AWS account readonly group] --> BR[readonly role of account];

Assign user to group to have access to account.

Neat short-term credentials for command line interface