Link to chapter - https://serverless-stack.com/chapters/structure-environments-across-aws-accounts.html
This is a tricky subject to generalise about, as engineering functions will have differing requirements, so there is no one-size-fits-all. However, the statement " not every developer on your team should have access or direct access from their terminal to the production environment" is surely incorrect. Developers should never have write access to production, (this is what release pipelines are for). They can of course have read-only access, which I would suggest is managed through strict IAM policies, as explained in the rest of the text.
Yeah exactly. We should clarify that it’s write access that should be restricted.
I don’t know if this topic is too old to discuss or not. I’m working on this problem in my company.
I read the article. I have one question: how do you add a same user (for ex: Mark) into the different accounts with the different permissions ?
For ex: Make has FullAccessS3 on staging account but ReadOnly on prod account
Thank you
You can create two different roles in these accounts that the user will assume into. And those two roles can have the permissions you are looking for.