IAM Roles

Deployment Roles

Role Pattern	Purpose
`<env>-dataops-data-platform-provisioner`	Terraform backend/provider assume role and Kubernetes auth role for env-dataops service roots
`prod-dataops-data-platform-provisioner`	prod CI/CD deployment role for Data Platform-managed prod roots
legacy prod `data-platform-provisioner`	existing prod role retained while prod legacy integrations are migrated

Prod has both the new data-platform provisioner and a legacy provisioner relationship in terraform/accounts/prod-dataops. Treat that as a current exception, not the desired pattern for new env-dataops work.

Runtime Roles

Role Pattern	Purpose
`data-platform-<env>-kyuubi`	default Kyuubi warehouse IRSA
`data-platform-<env>-kyuubi-maintenance`	maintenance Kyuubi warehouse IRSA
`data-platform-<env>-kyuubi-interactive`	interactive Kyuubi warehouse IRSA
`data-platform-<env>-polaris`	Polaris service IRSA
`data-platform-<env>-spark-query-history`	Spark Query History IRSA
`data-platform-<env>-lakehouse-developer`	non-prod local developer lakehouse role
`data-platform-prod-lakehouse-reader`	prod read-only lakehouse role

Grafana Role

Grafana Athena datasources use the same-account prod-grafana-read-only role in each env-dataops account. The role is allowed to query Athena and read/write the account’s Athena query-results bucket for dashboard panels.

Checked Against

terraform/accounts/dev-dataops, stage-dataops, preprod-dataops, and prod-dataops.
terraform/kyuubi/env/*.
terraform/polaris/env/*.
terraform/spark-query-history/env/*.
terraform/lakehouse/env/*.