Skip to main content

Overview

After bootstrapping accounts, configure access for team members. This page covers:
  • IAM Identity Center users and groups
  • GitHub organization membership
The user performing the bootstrap already exists in IAM Identity Center and GitHub. You must import these existing resources before Terraform can manage them (import instructions below).

Configure User Management

The kit manages both AWS IAM Identity Center and GitHub organization membership from a single users.yaml file via Terraform.

Authenticate with GitHub CLI

The Terraform GitHub provider uses credentials from the GitHub CLI. Authenticate with an account that has Owner permissions on your organization: 
gh auth login
Follow the prompts to authenticate. Verify you have the necessary permissions: 
gh api orgs/<YOUR_ORG>/memberships/$( gh api user --jq '.login' ) --jq '.role'
This should return admin.

Add Users

1

Edit the users configuration

Add users to terraform/live/shared/global/user-management/data/users.yaml:
users:
  - github:
      username: your-github-username
      role: admin
      teams:
        Admin:
          role: maintainer
    aws:
      user_name: you@example.com
      email: you@example.com
      group_membership: [Admin]
      given_name: Your
      family_name: Name
This file is the single source of truth for both GitHub and AWS access.
2

Import existing resources

Import your existing IAM Identity Center user, groups, and GitHub membership. Add import blocks to terraform/live/shared/global/user-management/imports.tf:
# IAM Identity Center user
import {
  to = module.aws-iam-identity-center.aws_identitystore_user.sso_users["you@example.com"]
  id = "<IDENTITY_STORE_ID>/<USER_ID>"
}

# IAM Identity Center group (if it exists)
import {
  to = module.aws-iam-identity-center.aws_identitystore_group.sso_groups["Admin"]
  id = "<IDENTITY_STORE_ID>/<GROUP_ID>"
}

# IAM Identity Center group membership
import {
  to = module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["you@example.com_Admin"]
  id = "<IDENTITY_STORE_ID>/<MEMBERSHIP_ID>"
}

# GitHub organization member
import {
  to = module.github_membership.github_membership.this["your-github-username"]
  id = "<YOUR_ORG>:your-github-username"
}
To find the required AWS IDs:
# Get the Identity Store ID
aws sso-admin list-instances --query 'Instances[0].IdentityStoreId' --output text

# List users
aws identitystore list-users --identity-store-id <IDENTITY_STORE_ID>

# List groups
aws identitystore list-groups --identity-store-id <IDENTITY_STORE_ID>

# Get a group membership ID
aws identitystore get-group-membership-id \
  --identity-store-id <IDENTITY_STORE_ID> \
  --group-id <GROUP_ID> \
  --member-id UserId=<USER_ID>
To find existing GitHub members:
gh api orgs/<YOUR_ORG>/members --jq '.[].login'
3

Apply the user-management stack

cd terraform
terramate run --tags user-management -- terraform init
terramate run --tags user-management -- terraform apply
This creates/imports:
  • IAM Identity Center users
  • Group memberships (Admin, PowerUser, ReadOnly)
  • Permission set assignments to all accounts
  • GitHub organization memberships

Verify Access Configuration

Before proceeding, verify that your existing users and groups are correctly configured in both AWS and GitHub.

Review IAM Identity Center

  1. Open the IAM Identity Center console in your Management account
  2. Navigate to Users and verify your bootstrap user exists
  3. Navigate to Groups and verify the expected groups exist (Admin, PowerUser, ReadOnly)
  4. Check group memberships by clicking on each group

Review GitHub Organization

  1. Open your GitHub organization’s People page: https://github.com/orgs/<YOUR_ORG>/people
  2. Verify your bootstrap user appears as an Owner
  3. Check the Invitations tab for pending invites; users who haven’t accepted their invitation won’t appear in the members list
Users with pending invitations only appear under the Invitations tab, not in the main members list. Make sure to check both when verifying membership.

Groups and Permission Sets

The kit configures three groups with corresponding permission sets:
GroupPermission SetAccess Level
AdminAdministratorAccessFull access to all accounts
PowerUserPowerUserAccessFull access except IAM
ReadOnlyViewOnlyAccessRead-only access

Next Steps

With access configured, proceed to Configure Integrations to set up external service integrations for CI/CD.