Skip to content

AWS accounts

Jump to bottom
Leo Hemsted edited this page Jun 2, 2020 · 19 revisions

AWS accounts

This is a guide to the AWS accounts Notify uses and what they are for.

GDS Users

gds-users is the main account for all GDS AWS users.

How do I get one?

It's operated by Reliability Engineering. You will need to ask them to create an account for you here: https://gds-request-an-aws-account.cloudapps.digital/. Once created and set up, you'll also need to make sure your name is added to notify's infrastructure here: https://github.com/alphagov/notifications-aws/blob/master/terraform/modules/main/modules/iam/variables.tf#L21-L47.

What's it for?

You should use this whenever you're working in the web interface.

What is my GDS Users user name?

Your gds-users user name will match your GDS email address. This user can assume any role (typically admin or readonly) on any of our AWS accounts.

Notify Tools

notify-tools is one of the environments Notify uses. We all need additional accounts on this, because gds-users access keys don't work well with local development for a variety of reasons, including that they expire very quickly and don't work well with celery 3.

What is my Notify Tools user name?

Your notify tools username can be chosen by you, and should be set here: https://github.com/alphagov/notifications-aws/blob/master/terraform/notify-tools/main.tf#L80-L88

What's it for?

This account has the AWS credentials that you:

  • have in the environment.sh or ~/.aws/credentials file for most of the apps
  • use when you're running locally to connect to ses/sqs/s3

How to access the web console

The gds-cli tool is recommended to easily switch between environments/roles. See https://github.com/alphagov/gds-cli for installation. Once it's set up locally, you can use it to open a new tab logged in to your chosen aws environment. For example:

  • gds aws notify-tools-admin -l will log in to the tools aws account with full admin privileges
  • gds aws notify-prod -l will log in to production, with only read privileges so can't accidentally delete stuff

Alternatively, you can sign in to gds-users at https://gds-users.signin.aws.amazon.com/console, and then go to the switch role screen https://signin.aws.amazon.com/switchrole, with:

  • account being the environment you want to connect to (eg notify-tools, notify-production)
  • role being either admin or readonly

How to log in to aws to perform actions from the command line (eg terraform, aws cli)

Install gds-cli (see above), and then you can set environment variables by invoking:

eval $(gds aws notify-tools-admin -e)

See gds aws --help for a full list of accounts. Note that the production account is shortened to notify-prod

Clone this wiki locally