Skip to content

Onboarding & Access Requests

This page covers the permissions and service access a new team member needs, and provides a Jira ticket template to request them.

What You Need Access To

Service Why Who Grants
AWS Account (065677397440) Bedrock LLMs, Secrets Manager, SSM tunnels, ECS, CDK deploys Platform / DevOps
GitHub (Olink-Proteomics org) Source code, PRs, CI/CD, wiki Engineering Lead
Neo4j (production) Query and inspect the knowledge graph Platform / DevOps
Redis (ElastiCache) Session/cache debugging (optional) Platform / DevOps
Grafana Monitoring dashboards, eval metrics Platform / DevOps
Entra ID / Cognito Frontend auth (if working on auth flows) IT / Identity

Required AWS Permissions

At minimum, a developer needs these IAM policy actions:

Core Development

{
  "Effect": "Allow",
  "Action": [
    "bedrock:InvokeModel",
    "bedrock:ListFoundationModels",
    "secretsmanager:GetSecretValue",
    "secretsmanager:ListSecrets",
    "ssm:GetParameter",
    "ssm:GetParametersByPath",
    "ssm:StartSession",
    "ecs:ListTasks",
    "ecs:DescribeTasks",
    "ecs:DescribeServices",
    "ec2:DescribeInstances",
    "ec2:DescribeSecurityGroups",
    "ec2:DescribeSubnets",
    "ec2:DescribeVpcs"
  ],
  "Resource": "*"
}

Neo4j Tunnel (SSM bastion)

{
  "Effect": "Allow",
  "Action": [
    "ec2:RunInstances",
    "ec2:StartInstances",
    "ec2:TerminateInstances",
    "ec2:CreateTags",
    "iam:PassRole"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:RequestedRegion": "eu-north-1"
    }
  }
}

CDK Deployments (if deploying infrastructure)

{
  "Effect": "Allow",
  "Action": [
    "cloudformation:*",
    "ecs:*",
    "elasticache:*",
    "ec2:*",
    "iam:CreateRole",
    "iam:AttachRolePolicy",
    "iam:PutRolePolicy",
    "logs:*",
    "s3:*"
  ],
  "Resource": "*"
}

Least privilege

The above are broad for onboarding speed. Your platform team may scope these down with resource ARNs and conditions. Adjust as needed for your org's security posture.

Jira Ticket Template

Copy the template below and submit it to your IT/Platform team's Jira project.

Title

[Access Request] New Developer Onboarding — <Your Name>

Description

Hi team,

I'm joining the Olink RAG / GraphRAG project and need the following access provisioned.

**Requestor**: <Your Name>
**Email**: <your.email@olink.com>
**Start Date**: <YYYY-MM-DD>
**Team**: <e.g., Bioinformatics / ML Platform / Frontend>
**Manager**: <Manager Name>

---

## 1. AWS IAM Access

- **Account**: 065677397440 (eu-north-1)
- **Requested permissions**:
  - [ ] Bedrock model invocation (InvokeModel, ListFoundationModels)
  - [ ] Secrets Manager read (GetSecretValue for graphrag-secrets)
  - [ ] SSM Parameter Store read (GetParameter, GetParametersByPath under /graphrag/)
  - [ ] SSM Session Manager (StartSession — for Neo4j tunnel)
  - [ ] ECS read (ListTasks, DescribeTasks — for tunnel IP discovery)
  - [ ] EC2 limited (RunInstances, TerminateInstances — t3.micro tunnel bastion only)
  - [ ] CDK deploy permissions (only if deploying infrastructure)
- **Preferred method**: IAM user with programmatic access / SSO profile / Assumed role
- **MFA**: Yes

## 2. GitHub Access

- **Org**: Olink-Proteomics
- **Repos**:
  - [ ] gav360-graphrag-api (read/write)
  - [ ] gav360_graphrag_react (read/write, if frontend work)
- **Team membership**: <team name>

## 3. Neo4j Database

- **Access level**: Read-only (or read-write if doing ingestion work)
- **Databases**: olink1, olink2, olink3 (as needed)
- **Connection**: Via SSM tunnel (no direct internet exposure)

## 4. Grafana / Monitoring

- **Dashboard access**: Olink RAG Eval E2E dashboard
- **Role**: Viewer (or Editor if maintaining dashboards)

## 5. Optional / Role-Specific

- [ ] Entra ID app registration access (auth work)
- [ ] Docker Hub / ECR push access (container builds)
- [ ] CodeArtifact read (private Python packages)

---

**Notes**: <Any additional context, e.g., "I'll be working on the evaluation module" or "Need SageMaker endpoint access for fine-tuning">

After Access Is Granted

Once your permissions are provisioned:

  1. Configure AWS credentials locally — see AWS Credentials & Neo4j Tunnel
  2. Clone the repo and install dependencies: 
    git clone git@github.com:Olink-Proteomics/gav360-graphrag-api.git
cd gav360-graphrag-api
uv sync
  3. Pull secrets into your .env: 
    uv run python cdk_resources/scripts/sync_env.py
  4. Open the Neo4j tunnel: 
    bash cdk_resources/scripts/neo4j-tunnel.sh create graphrag
  5. Verify everything works: 
    uv run pytest tests/unit/ -q --tb=short -x
uv run granian --interface asgi api.app:app --host 127.0.0.1 --port 8000 --reload

Offboarding Checklist

When someone leaves the project:

  • [ ] Remove IAM user / revoke SSO access
  • [ ] Remove from GitHub org/team
  • [ ] Rotate any shared secrets they had access to
  • [ ] Destroy their Neo4j tunnel bastion (neo4j-tunnel.sh destroy)
  • [ ] Remove Grafana account