Skip to main content

Overview

After bootstrapping accounts, configure access for team members. This page covers:
  • IAM Identity Center users and groups
  • GitHub organization membership
The user performing the bootstrap already exists in IAM Identity Center and GitHub. You must import these existing resources before Terraform can manage them (import instructions below).

Configure User Management

The kit manages both AWS IAM Identity Center and GitHub organization membership from a single users.yaml file via Terraform.

Authenticate with GitHub CLI

The Terraform GitHub provider uses credentials from the GitHub CLI. Authenticate with an account that has Owner permissions on your organization:
Follow the prompts to authenticate. Verify you have the necessary permissions:
This should return admin.

Add Users

1

Edit the users configuration

Add users to terraform/live/shared/global/user-management/data/users.yaml:
This file is the single source of truth for both GitHub and AWS access.
2

Import existing resources

Import your existing IAM Identity Center user, groups, and GitHub membership. Add import blocks to terraform/live/shared/global/user-management/imports.tf:
To find the required AWS IDs:
To find existing GitHub members:
3

Apply the user-management stack

This creates/imports:
  • IAM Identity Center users
  • Group memberships (Admin, PowerUser, ReadOnly)
  • Permission set assignments to all accounts
  • GitHub organization memberships

Verify Access Configuration

Before proceeding, verify that your existing users and groups are correctly configured in both AWS and GitHub.

Review IAM Identity Center

  1. Open the IAM Identity Center console in your Management account
  2. Navigate to Users and verify your bootstrap user exists
  3. Navigate to Groups and verify the expected groups exist (Admin, PowerUser, ReadOnly)
  4. Check group memberships by clicking on each group

Review GitHub Organization

  1. Open your GitHub organization’s People page: https://github.com/orgs/<YOUR_ORG>/people
  2. Verify your bootstrap user appears as an Owner
  3. Check the Invitations tab for pending invites; users who haven’t accepted their invitation won’t appear in the members list
Users with pending invitations only appear under the Invitations tab, not in the main members list. Make sure to check both when verifying membership.

Groups and Permission Sets

The kit configures three groups with corresponding permission sets:

Next Steps

With access configured, proceed to Configure Integrations to set up external service integrations for CI/CD.