AWS accounts - alphagov/notifications-manuals GitHub Wiki
This is a guide to the AWS accounts Notify uses and what they are for.
👉 Request a gds-users account from Reliability Engineering.
gds-users
is the main account for all GDS AWS users. This user can assume any role (typically admin or readonly) on any of our AWS accounts.
Add the new user to our account-wide Terraform repo, in the tfvars
file for each environment they need access to. See this PR for an example of granting a user permission to assume the admin
role in our dev environments.
Get someone to apply the Terraform changes (this repo is not deployed using Concourse, so the Terraform will need to be manually applied).
The gds-cli
tool is recommended to easily switch between environments/roles.
👉 See https://github.com/alphagov/gds-cli for installation.
Once it's set up locally, you can use it to open a new tab logged in to your chosen aws environment. For example:
-
gds aws notify-tools-admin -l
will log in to the tools account -
gds aws notify-prod -l
will log in to production (read only)
Manually switch rules in AWS Web Console
Alternatively, you can sign in to gds-users at https://gds-users.signin.aws.amazon.com/console, and then go to the switch role screen https://signin.aws.amazon.com/switchrole, with:
- account being the environment you want to connect to (eg
notify-tools
,notify-production
) - role being either
admin
orreadonly
You can also use GDS CLI to run local commands like Terraform and the AWS CLI, in the context of a particular account:
gds aws notify-tools-admin -- terraform plan
gds aws notify-tools-admin -- aws s3 ls
gds-cli
tool is required to setup AWS MFA with Yubikey.
👉 See https://github.com/alphagov/notifications-manuals/wiki/Yubikeys#Set-up-AWS-MFA for setup.
notify-tools
is the environment your local apps will use when you're running locally to connect to SES/SQS/S3. You have a distinct user in this environment because normal, temporary access keys don't work well with local development.
-
Log in to your main Notify tools account:
gds aws notify-tools-admin -l
-
Navigate to IAM, then Users
-
Find your new local development user.
-
Create an access key as above and save it to
~/.aws/credentials
[default] aws_access_key_id=... aws_secret_access_key=...
-
Test it works by running
aws configure get aws_access_key_id