AWS accounts

AWS accounts

This is a guide to the AWS accounts Notify uses and what they are for.

GDS Users

gds-users is the main account for all GDS AWS users.

How do I get one?

It's operated by Reliability Engineering. You will need to ask them to create an account for you here: https://gds-request-an-aws-account.cloudapps.digital/. Once created and set up, you'll also need to make sure your name is added to notify's infrastructure here: https://github.com/alphagov/notifications-aws/blob/master/terraform/modules/main/modules/iam/variables.tf#L21-L47.

What's it for?

You should use this whenever you're working in the web interface.

What is my GDS Users user name?

Your gds-users user name will match your GDS email address. This user can assume any role (typically admin or readonly) on any of our AWS accounts.

How to access the web console

The gds-cli tool is recommended to easily switch between environments/roles. See https://github.com/alphagov/gds-cli for installation. Once it's set up locally, you can use it to open a new tab logged in to your chosen aws environment. For example:

• gds aws notify-tools-admin -l will log in to the tools aws account with full admin privileges
• gds aws notify-prod -l will log in to production, with only read privileges so can't accidentally delete stuff

Alternatively, you can sign in to gds-users at https://gds-users.signin.aws.amazon.com/console, and then go to the switch role screen https://signin.aws.amazon.com/switchrole, with:

• account being the environment you want to connect to (eg notify-tools, notify-production)
• role being either admin or readonly

How to log in to aws to perform actions from the command line (eg terraform, aws cli)

Install gds-cli (see above), and then you can set environment variables by invoking:

eval $(gds aws notify-tools-admin -e)

See gds aws --help for a full list of accounts. Note that the production account is shortened to notify-prod

Notify Tools

notify-tools is one of the environments Notify uses. We all need additional accounts on this, because gds-users access keys don't work well with local development for a variety of reasons, including that they expire very quickly and don't work well with celery 3.

What's it for?

This account has the AWS credentials that you:

• save in your ~/.aws/credentials file that is used for most of the apps
• use when you're running locally to connect to ses/sqs/s3

How to set up local development

• Create a user at https://github.com/alphagov/notifications-aws/blob/master/terraform/modules/local-development/variables.tf
• Apply the terraform change to notify-tools (https://github.com/alphagov/notifications-aws/blob/master/terraform/README.md)
• Log in to your main notify tools account (gds aws notify-tools-admin -l), navigate to iam, then users
• Find your new local development user
• Create an access key and save it to ~/.aws/credentials as follows

[default]
aws_access_key_id=...
aws_secret_access_key=...

If you don't wish to save your access keys in plain text on your local drive, instead, you can do the following steps instead of that last bullet point.:

• Create an access key as above and save it to your local aws-vault secure keychain using aws-vault add local-dev
• add export AWS_PROFILE=local-dev to your environment.sh
• add aws-vault exec local-dev --no-session to your environment.sh file in appropriate folders.
• update your ~/.aws/config file to explain

[profile local-dev]
credential_process = aws-vault exec --no-session --json local-dev