AWS accounts - alphagov/notifications-manuals GitHub Wiki

AWS accounts

This is a guide to the AWS accounts Notify uses and what they are for.

Getting started

Create a gds-users account

👉 Request a gds-users account from Reliability Engineering.

gds-users is the main account for all GDS AWS users. This user can assume any role (typically admin or readonly) on any of our AWS accounts.

Get access to Notify infra

Add the new user to our account-wide Terraform repo, in the tfvars file for each environment they need access to. See this PR for an example of granting a user permission to assume the admin role in our dev environments.

⚠️ Users should not be added to the production environment until they have security clearance.

Get someone to apply the Terraform changes (this repo is not deployed using Concourse, so the Terraform will need to be manually applied).

Install and test the GDS CLI

The gds-cli tool is recommended to easily switch between environments/roles.

👉 See https://github.com/alphagov/gds-cli for installation.

Once it's set up locally, you can use it to open a new tab logged in to your chosen aws environment. For example:

  • gds aws notify-tools-admin -l will log in to the tools account
  • gds aws notify-prod -l will log in to production (read only)
Manually switch rules in AWS Web Console

Alternatively, you can sign in to gds-users at https://gds-users.signin.aws.amazon.com/console, and then go to the switch role screen https://signin.aws.amazon.com/switchrole, with:

  • account being the environment you want to connect to (eg notify-tools, notify-production)
  • role being either admin or readonly

You can also use GDS CLI to run local commands like Terraform and the AWS CLI, in the context of a particular account:

gds aws notify-tools-admin -- terraform plan
gds aws notify-tools-admin -- aws s3 ls

Setup AWS MFA

gds-cli tool is required to setup AWS MFA with Yubikey.

👉 See https://github.com/alphagov/notifications-manuals/wiki/Yubikeys#Set-up-AWS-MFA for setup.

Set up local development

notify-tools is the environment your local apps will use when you're running locally to connect to SES/SQS/S3. You have a distinct user in this environment because normal, temporary access keys don't work well with local development.

  • Log in to your main Notify tools account: gds aws notify-tools-admin -l

  • Navigate to IAM, then Users

  • Find your new local development user.

  • Create an access key as above and save it to ~/.aws/credentials

    [default]
    aws_access_key_id=...
    aws_secret_access_key=...
  • Test it works by running aws configure get aws_access_key_id

⚠️ **GitHub.com Fallback** ⚠️