Developer Center

AWS users and authentication

Authenticating AWS accounts for your PowerTools workspace environments

Workspace setup

When you first create a workspace, you declare one or more environments in your .powertools/workspace.yml schema.

When you run pt workspace sync, PowerTools will automatically build the infrastructure for your entire team, setting up your AWS or GCP account(s) for each region.

Sync and teardown permissions

When you run pt workspace sync or pt workspace teardown, we recommend providing AWS credentials which have the AdministratorAccess iam policy available.

Since workspace sync and teardown configure your entire AWS account, including various clusters, dns zones and IAM roles, escalated permissions are required.

You can also provide root user credentials when running sync and teardown commands.

Pt user role

During pt workspace sync, PowerTools will automatically create an IAM policy with the correct permissions for using the pt cli.

Each environment will have a role with the following format:


Adding a user

To add a user to an environment in your workspace:

  • create an IAM user
  • attach the user-role-allowed policy described above to that user

Authenticating with pt

pt will prompt you for your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to authenticate with your cloud accounts.

Please find the credentials for your IAM account by following these directions.

Using root credentials

If you are trying PowerTools out for personal use, or have a small team, you can provide root credentials to simplify credential management.

Root credentials are not recommended for production workspaces.