-
Notifications
You must be signed in to change notification settings - Fork 4
AWS accounts
This is a guide to the AWS accounts Notify uses and what they are for.
gds-users is the main account for all GDS AWS users.
It's operated by Reliability Engineering. You will need to ask them to create an account for you here: https://gds-request-an-aws-account.cloudapps.digital/. Once created and set up, you'll also need to make sure your name is added to notify's infrastructure here: https://github.com/alphagov/notifications-aws/blob/master/terraform/modules/main/modules/iam/variables.tf#L21-L47.
You should use this whenever you're working in the web interface.
Your gds-users user name will match your GDS email address. This user can assume any role (typically admin or readonly) on any of our AWS accounts.
The gds-cli tool is recommended to easily switch between environments/roles. See https://github.com/alphagov/gds-cli for installation. Once it's set up locally, you can use it to open a new tab logged in to your chosen aws environment. For example:
-
gds aws notify-tools-admin -lwill log in to the tools aws account with full admin privileges -
gds aws notify-prod -lwill log in to production, with only read privileges so can't accidentally delete stuff
Alternatively, you can sign in to gds-users at https://gds-users.signin.aws.amazon.com/console, and then go to the switch role screen https://signin.aws.amazon.com/switchrole, with:
- account being the environment you want to connect to (eg
notify-tools,notify-production) - role being either
adminorreadonly
Install gds-cli (see above), and then you can set environment variables by invoking:
eval $(gds aws notify-tools-admin -e)See gds aws --help for a full list of accounts. Note that the production account is shortened to notify-prod
notify-tools is one of the environments Notify uses. We all need additional accounts on this, because gds-users access keys don't work well with local development for a variety of reasons, including that they expire very quickly and don't work well with celery 3.
This account has the AWS credentials that your local apps will use when you're running locally to connect to ses/sqs/s3
- Create a user at https://github.com/alphagov/notifications-aws/blob/master/terraform/modules/local-development/variables.tf
- Apply the terraform change to notify-tools (https://github.com/alphagov/notifications-aws/blob/master/terraform/README.md)
- Log in to your main notify tools account (
gds aws notify-tools-admin -l), navigate to iam, then users - Find your new local development user
- Create an access key as above and save it to your local aws-vault secure keychain using
aws-vault add local-dev - update your
~/.aws/configfile to tell AWS what value to retrieve from the aws-vault store as follows.[profile local-dev] credential_process = aws-vault exec --no-session --json local-dev
- add
export AWS_PROFILE=local-devto your environment.sh file.
If you have trouble with the above steps, then you can try storing the key in plain text. This isn't recommended for security reasons. Follow the steps below:
Click to expand!
Create an access key as above, but instead of storing it in your local secure keychain, you can save it in plaintext in the `~/.aws/credentials` file as follows[default]
aws_access_key_id=...
aws_secret_access_key=...