How does IAM access work in the Reference Architecture?
The RefArch diagram shows me network ingress into my environments, but how does IAM work regarding my developers' access, including DevOps teams? Are there IAM Groups created for me that I can add IAM Users to or associate with SSO? Where would those IAM Users live? --- <ins datetime="2022-05-23T18:37:26Z"> <p><a href="https://support.gruntwork.io/hc/requests/108650">Tracked in ticket #108650</a></p> </ins>
Network access is tracked separately from IAM Access, and is managed on the OpenVPN server. However, you can use IAM to grant access to users to generate certificates to access the OpenVPN server using one of the IAM Groups that we provide. In terms of overall access management, the IAM Users are created and managed in the `security` account, in which there will be a set of IAM Groups that grant cross account assume role access to the various linked accounts. You can attach a specific IAM Group to the user (such as `_account.dev-full-access` to grant full access to the dev account) to manage which environments the user will have access to.