AWS SSO Permissions¶
Recro uses AWS IAM Identity Center (SSO) with three permission tiers mapped to groups.
Permission Sets¶
| Group | Permission Set | Session Duration | Access Level |
|---|---|---|---|
architect |
adminAccess |
8 hours | Full administrative access |
engineer |
userAccess |
4 hours | Common AWS services |
audit |
readOnly |
1 hour | Read-only access for auditing |
Permission Details¶
adminAccess (Architects)¶
Full administrative access to all AWS services. Use for: - Infrastructure changes - IAM and security configuration - Account-level settings
userAccess (Engineers)¶
Access to common development and operations services: - Compute: EC2, EKS, Lambda - Storage: S3, EBS, EFS - Database: RDS - Networking: Route53 - Security: IAM (limited), KMS - Container: ECR
readOnly (Audit)¶
Read-only access across all services. Use for: - Security audits - Compliance reviews - Cost analysis
AWS CLI Profile Templates¶
Add these to ~/.aws/config, replacing <ACCOUNT_ID> with the actual account ID:
[profile recro-admin]
sso_start_url = https://recrocog.awsapps.com/start
sso_region = us-east-1
sso_account_id = <ACCOUNT_ID>
sso_role_name = adminAccess
region = us-east-1
[profile recro-engineer]
sso_start_url = https://recrocog.awsapps.com/start
sso_region = us-east-1
sso_account_id = <ACCOUNT_ID>
sso_role_name = userAccess
region = us-east-1
[profile recro-readonly]
sso_start_url = https://recrocog.awsapps.com/start
sso_region = us-east-1
sso_account_id = <ACCOUNT_ID>
sso_role_name = readOnly
region = us-east-1
Verify Your Access¶
Check which role you're currently using:
The ARN in the response indicates your permission set:
Session Expiry¶
Sessions expire after the duration listed above. Re-authenticate with:
Requesting Access Changes¶
SSO users and group memberships are managed via Infrastructure as Code. See Infrastructure Changes for the process to request access modifications.
See Also¶
- AWS SSO Setup - Initial CLI configuration
- Infrastructure Changes - How to modify SSO configuration