Skip to main content
The Synthetiq platform triggers deployments in your account through a cross-account IAM role. This page describes the trust model and the role’s permissions.

Cross-account trust model

The Synthetiq platform triggers deployments through a two-hop IAM assume-role chain. This ensures that Synthetiq platform credentials never enter your account, your AWS credentials never enter the Synthetiq platform, and the deployment role has narrowly scoped permissions.

The role chain

Trigger an app deployment
  → Synthetiq API Backend
    → assumes SynthetiqDeployServiceRole (in Synthetiq's account)
      → assumes SynthetiqDeployRole (in your account)
        → starts deployment pipeline (in your account)

SynthetiqDeployRole permissions

The SynthetiqDeployRole is created in your account during infrastructure setup. It is the only role the Synthetiq platform can assume, and its permissions are intentionally narrow:
PermissionScope
Start deploymentsSynthetiq deploy and teardown pipelines only
Monitor deploymentsExecution status and build logs for Synthetiq pipelines only
Read stack outputsSynthetiq infrastructure stacks only
The deploy role cannot access your application data, databases, secrets, or any resources outside the deployment pipeline. It can only trigger and monitor deployments.

Trust policy

The SynthetiqDeployRole trusts only the SynthetiqDeployServiceRole from Synthetiq’s account: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<SynthetiqDeployServiceRole ARN>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}