Cloud & Platform Engineering
This page shipped itself.
No AWS keys. No console clicks. A push to master became a short-lived
OIDC token, a one-hour role session, and an s3 sync — and here we are,
served out of the EC Private Outreach dev account.
- git push branch: master
- id_token aud: gitlab.com
- assume-role sts · 60-min creds
- s3 sync ./public → bucket
- cloudfront edge · you are here
stage: platform
What CPE builds
Multi-account AWS foundations — organizations, OUs, guardrails, vended accounts.
Everything as code. If it exists in AWS, it exists in state.
Cluster platforms the product teams build on, from node pools to network policy.
GitOps delivery — clusters pull what git declares, nothing else.
Pipelines with OIDC and zero stored cloud keys — like the one that shipped this page.
Per-product account boundaries, segregated routing, and controlled paths out.
stage: team
terraform plan — module.team_cpe
# refreshing state... done. no drift detected.
Plan: 7 to add, 0 to change, 0 to destroy.
stage: verify
How the deploy works
-
token
The CI job asks GitLab for an
id_tokenwithaud: https://gitlab.com. It lives for minutes and names this exact project and branch. -
trust
An IAM role in the dev account trusts GitLab's OIDC issuer for this project path only.
sts assume-role-with-web-identityswaps the token for one-hour credentials. -
ship
aws s3 syncmirrors./publicto the bucket, and a CloudFront invalidation refreshes the edge. Nothing stored, nothing to rotate, nothing to leak.