Roll Out Vouch to Your Team
One admin afternoon, one command per developer, no blockers
Your job: get everyone on the team into AWS, Kubernetes, and the package and repo services around them — fast, without handing out static keys, and without you becoming the person everyone waits on. This page is the whole playbook. Each step links to a deep-dive guide, but you should rarely need one.
TL;DR
- Once (admin): register the OIDC provider, deploy one IAM role, note its ARN — 30 minutes.
- Per service (admin): add a few IAM actions to that role — checklist below.
- Per developer: they run
vouch enroll, thenvouch setup aws --role <ARN>— send them this. - Ongoing: offboarding is your IdP + one deny statement; nothing to hunt down.
Day 0 – The foundation
Admin taskEverything below hangs off one OIDC provider and one IAM role. This is the only part with real decisions in it.
Enroll yourself. Install the CLI and enroll your YubiKey – Getting Started (5 minutes). The first person to enroll from your Google Workspace domain becomes the organization owner.
Register the Vouch OIDC provider in AWS – one CLI command or a few lines of Terraform/CloudFormation. Exactly one per organization, in your management account if you have an AWS Organization. AWS guide, Step 1.
Pick your account layout. This decides what roles you deploy:
Your AWS layout What to deploy Guide Single account One VouchDeveloperroleAWS guide Multiple accounts (Organizations) A hub role in the management account, a spoke role per account (StackSets or a Terraform module) Multi-account IAM Identity Center already in place Register Vouch as a trusted token issuer Identity Center Deploy the role(s) with the standard trust policy scoped to
*@yourdomain.com. Start the permissions policy atReadOnlyAccessand broaden deliberately. Write down the role ARN – it is the only thing developers need from you.Plan user lifecycle. Under ~15 people, manual member management in the admin dashboard is fine. At 15+, connect SCIM so your IdP creates and deactivates Vouch users automatically.
Foundation is done when...
aws sts get-caller-identity --profile vouchreturns an assumed-role ARN with your email in the session name.- You have the role ARN (and hub-role ARN, if multi-account) saved somewhere you can paste from.
Enable services
Admin taskEach additional service is IAM permissions on the role you already deployed, plus at most one admin action. Developers then enable it with a single command. Full guides are linked for when something goes sideways.
| Service | Add to the role’s permissions | One-time admin action | Each developer runs |
|---|---|---|---|
| AWS CLI / SDKs | Your chosen policy (start with ReadOnlyAccess) | – | vouch setup aws --role <ARN> |
| EKS | eks:DescribeCluster | Create an Access Entry mapping the role to cluster permissions | vouch setup eks --cluster <NAME> |
| CodeCommit | codecommit:GitPull, codecommit:GitPush | – | vouch setup codecommit --configure |
| CodeArtifact | codeartifact:GetAuthorizationToken, codeartifact:GetRepositoryEndpoint, codeartifact:ReadFromRepository, sts:GetServiceBearerToken | – | vouch setup codeartifact --tool <npm|pip|cargo|pnpm|uv> --repository <REPO> |
| Docker / ECR | ecr:GetAuthorizationToken + pull/push actions | – | vouch setup docker |
| SSM Session Manager | ssm:StartSession (scope by tag) | Instances need the SSM agent + instance profile | aws ssm start-session --target <ID> --profile vouch |
| RDS / Aurora | rds-db:connect | Create IAM-auth database users (GRANT rds_iam) | vouch exec --type rds -- psql ... |
| Bedrock | bedrock:InvokeModel (scope by model) | – | works via the vouch AWS profile |
| GitHub | – (not AWS) | Install the Vouch GitHub App on your org | vouch setup github |
| SSH | – (not AWS) | Trust the Vouch CA in sshd_config | automatic after vouch login |
Sequence tip: ship AWS first (everything else chains off it), then EKS and CodeCommit/CodeArtifact, then the rest as teams ask for them.
Onboard developers
Developer taskDevelopers never touch IAM. Paste the block below into Slack or your onboarding wiki, fill in the two placeholders, and each person is productive in about five minutes – no action from you.
**Set up Vouch (one time, ~5 min, YubiKey required)**
1. Install the CLI and background agent:
brew install vouch-sh/tap/vouch
brew services start vouch
(Linux/Windows: https://vouch.sh/docs/getting-started/)
2. Enroll your YubiKey -- opens the browser for SSO, then asks for a tap:
vouch enroll --server https://us.vouch.sh
3. Connect AWS (paste the role ARN from your admin):
vouch setup aws --role <ROLE_ARN>
4. Connect the cluster (if you use Kubernetes):
vouch setup eks --cluster <CLUSTER_NAME>
5. Start each workday with one tap:
vouch login
Check it worked: `aws sts get-caller-identity --profile vouch`
shows your email in the role ARN. Questions -> #devops-help
Enrollment needs no invite codes or approval – anyone authenticating through your Google Workspace domain lands in your organization automatically.
Pilot, then roll out
Vouch installs alongside existing credentials – the vouch AWS profile, SSH certificates, and stacked Git credential helpers don’t disturb anything your team uses today. So de-risk the rollout the boring way:
- Pilot on yourself plus one volunteer for a week, with static credentials still in place.
- Migrate one integration at a time, AWS first. The migration guide has the recommended order, per-integration checklists, and a rollback plan for each integration.
- Onboard the team with the block above once the pilot is clean.
- Revoke static credentials last – deactivate old AWS access keys, remove stale
authorized_keysentries and PATs only after everyone has run on Vouch for a week. Commands in migration, Phase 3.
CI/CD pipelines are a separate track: they have no YubiKeys and should use their platform’s own OIDC federation or instance roles, not Vouch. See CI/CD considerations – Vouch’s CI/CD integration adds human approval gates on top, it does not replace machine credentials.
When someone leaves
This is the payoff for never distributing static keys: offboarding is your identity provider plus, at most, one IAM statement.
- Deactivate their account in your IdP (you were doing this anyway).
- With SCIM: their Vouch sessions are revoked automatically the moment the IdP deactivates them. Nothing else to do on the Vouch side.
- Without SCIM: use Deactivate and Revoke credentials in the admin dashboard.
- Cut off cached AWS credentials (optional, for immediate effect): STS credentials already on their laptop live up to 1 hour. To kill them instantly, add the
vouch:Emaildeny statement to your roles or as an SCP – copy it from Revoke access for a specific user.
What expires on its own:
| Credential | Gone after |
|---|---|
| Vouch session (new credentials) | immediately on deactivation |
| Cached AWS STS credentials | up to 1 hour |
| SSH certificate, GitHub tokens | up to 8 hours (end of session) |
| ECR / CodeArtifact authorization tokens | up to 12 hours |
There are no access keys to hunt down, no authorized_keys to scrub, no PATs to revoke. Full failure-mode detail (including break-glass access if the Vouch server is ever unreachable) is in Availability.
Related guides
- AWS Integration – the OIDC provider and role this whole page builds on.
- Multi-Account AWS – hub/spoke roles, StackSets, SCP guardrails.
- SCIM Provisioning – automatic user lifecycle from your IdP.
- Migration Guide – integration-by-integration checklists and rollback.
- Availability and Failure Modes – offline behavior and break-glass planning.