Sourcegraph AWS Organisation is managed by the Ship team. This includes:
- creating new AWS accounts
- OKTA group access assignments to AWS Accounts
- billing alerting
- deleting AWS accounts
|AWS Account||Description||Web console access||cli/terraform access|
|Team-dedicated dev accounts||Team accounts used for non-production purposes. Storing production/customer data is not allowed.||Login via steps - no Entitle access required||follow steps - no Entitle access required|
|Team-dedicated production accounts||Every Team accounts used for production purposes.||Request Entitle permission ||Request Entitle permission |
|Cloud production accounts||Cloud production accounts are customer-dedicated accounts for connectivity with customers’ code hosts.||Request Entitle permission ||Request Entitle permission |
|Management Account (Root) Read-only||Management account (read-only) is used to view OKTA integration, billing and organisation structure.||Request Entitle permission ||Request Entitle permission |
|Management Account (Root) Admin||Management account is used to manage AWS Identity Center, integrated with OKTA. Terraform access is required to create/delete AWS accounts and assign access to newly created AWS accounts.||Request Entitle permission ||Request Entitle permission |
Note: all existing Sourcegraph AWS accounts can be found here
AWS Account are owned by team, which is responsible for requesting access and managing resources. To create a new AWS account:
Add new organisation unit and AWS account here
Open Pull Request and ask for approval in #discuss-cloud-ops channel.
Note: default billing alert is set to 500$/m, if you require higher limit contact Finance Team and ask for approval in Pull Request.
- [For Cloud Operations] After merging PR, follow instructions
AWS account access is managed via OKTA SSO.
Note: requires aws cli.
- Add required profile to `~/.aws/config`` file:
[sso-session sg] sso_start_url = https://d-92672e68f8.awsapps.com/start sso_region = us-west-2 sso_registration_scopes = sso:account:access [profile <YOUR_ACCOUNT_NAME>] sso_session = sg sso_account_id = <YOUR_ACCOUNT_ID> sso_role_name = AdministratorAccess region = us-east-1 output = json
- Login via SSO
aws sso login --profile <YOUR_ACCOUNT_NAME>
Note: if login does not work, it means either your Entitle request was not approved yet or you miss required permission. Ask for help in
Login to OKTA
Click given account tile and then
Note: if given account tile is not visible, it means either your Entitle request was not approved yet or you miss required permission. Ask for help in
You can only delete AWS accounts which belong to your team. To delete an AWS account:
We strongly recommend using AWS SSO role instead of using IAM user credentials for automation. However if you need IAM user credentials for any reason, they are only allowed in non-production accounts.
Terraform Cloud uses dynamic credentials integration and does not store any credentials.