Skip to content
Data Platform Infrastructure

Deployment Auth

Local Read And Admin Profiles

Engineers use SSO profiles for local reads and investigation:

AccountRead ProfileAdmin Profile
dev-dataopsdev-dataopsdev-dataops-admin
stage-dataopsstage-dataopsstage-dataops-admin
preprod-dataopspreprod-dataopspreprod-dataops-admin
prod-dataopsprod-dataopsprod-dataops-admin

Admin profiles are useful for investigation and non-prod operations when the Terraform root supports local use. Prod write deployments should use protected GitHub Actions.

CI/CD Role Chain

GitHub Actions starts from a repository CI role and then assumes the target environment provisioner.

flowchart LR
  GHA[GitHub Actions OIDC] --> CICD[repo CICD role]
  CICD --> Prov[env-dataops-data-platform-provisioner]
  Prov --> Backend[S3 Terraform backend]
  Prov --> AWS[AWS APIs and Kubernetes auth]

Important Rule

Do not start Terraform from a session that has already assumed the same target provisioner when the backend/provider configuration also assumes that provisioner. Start from the expected source profile or CI role so Terraform backend role assumption behaves normally.

Prod Guardrail

prod-dataops-data-platform-provisioner is a CI/CD deployment role. Prod deploys should go through protected workflow approval. Local prod admin access may be useful for read/debug checks, but it should not become the normal prod deployment path.

Checked Against

  • AGENTS.md AWS authentication guidance.
  • .github/workflows/terraform-service-deploy.yml on origin/main.
  • .github/workflows/terraform-deploy-accounts.yml on origin/main.
  • implementations/2026-05-21-dl-419-prod-dataops-runtime-progress.md.