Skip to main content

AWS IAM setup

Overview

We have at the time of writing four AWS accounts. One for each environment (Prod, Sandbox, UAT, Dev). For ease and better maintenance - we maintain only one login per developer to our accounts. We then make use of IAM roles to switch to the other non-prod environments.

This setup allows a user with prod access to consume a role in any of the other environments which will give them admin access. This is not a concern as these are test environments. And inside prod we can restrict access for a user when needed.

Prerequisites

You will need a login to our AWS production account. Contact someone on the Backend team to get a login. Upon logging in, you will be prompted to change your password on login - recommended to use a generated password like Lastpass for your password.

AWS CLI installation

You will need the AWS CLI installed already if you haven't. Follow the instructions via the AWS link or alternatively use Homebrew. Confirm your installation is successful by running aws --version

AWS Console: Enabling AWS cross account switching.

Once you have your IAM credentials, follow the steps below to configure your account and get setup.

Prod:

Dev:

  • Once logged in, paste this url (https://signin.aws.amazon.com/switchrole?roleName=ProdInbound-Dev-Admin&account=hctr-development) in to your browser. The account and role should be pre-filled.
  • Set the Display name as what you want to see when you are switching to the account, or when you're in that account. i.e. dev
  • Color (i select a diff colour per env to better highlight for me what account i'm in) You should be in the dev account now. Click on the top right dropdown bar, and click Switch back to go back to prod

UAT:

SANDBOX:

You should now be able to switch between the different AWS environments.

AWS CLI

The AWS CLI allow you to speak to AWS from your machine using access credentials which you create. These credentials are needed when running the platform locally for any AWS SDK interactions. It is also common and sometimes easier to interact with AWS via the CLI rather than using the console. The docs are worth checking out.

We will generate IAM access credentials for our AWS account, and then configure that profile with the CLI. We will then enable CLI access to the other accounts by assuming the same IAM roles listed above.

Prod:

  • Login to the AWS console, and navigate to the IAM service, and then click on the Users section on the left.
  • Click on your user, then click on the Security credentials tab.
  • Then click the Create access key. Temporarily download your credentials (delete once setup).
  • Next, you need to configure your profile. Run the command below and enter your access key id and secret access key when prompted. Set region to eu-west-2
aws configure

Open your AWS credentials file. open ~/.aws/credentials. Change [default] to [platform.prod] or similar. This will mean you don't have an AWS profile set by default and prevents you accidentally making unexpected changes to the wrong account. Your file should look like this.

[platform.prod]
aws_access_key_id = XXXXXXXXXXXXXXXX ## YOUR ACCESS KEY ID
aws_secret_access_key = XXXXXXXXXXXXXXXX ## YOUR SECRET ACCESS KEY

Now, open your AWS config file. open ~/.aws/config. Again, change [default] to [profile platform.prod] or similar. Also set cli_pager to an empty string - this is so we don't get paged responses. Your config file should now look like below.

[profile platform.prod]
region = eu-west-2
cli_pager=

To test this, set your profile to be platform.prod. This can be be passed as a --profile arg to any cli call. Or to have it set for the duration of your shell - you can export it as an env var - export AWS_PROFILE=platform.prod. Run one of the commands below to test.

aws --profile platform.prod sts get-caller-identity

or

export AWS_PROFILE=platform.prod
aws sts get-caller-identity

You should get a response containing your User, and the account ID you are logged into.

Other accounts:

  • Open your AWS credentials file. open ~/.aws/credentials.
  • Create a profile for each of the other environments, and specify the role to assume that will give access to that environment. And set the source_profile that you are switching from to the platform.prod profile you configured in the previous step.
  • Below is how your credentials file should look.
[platform.dev]
role_arn = arn:aws:iam::527132486578:role/ProdInbound-Dev-Admin
source_profile = platform.prod

[platform.uat]
role_arn = arn:aws:iam::799768935029:role/ProdInbound-Uat-Admin
source_profile = platform.prod

[platform.sandbox]
role_arn = arn:aws:iam::243141407755:role/ProdInbound-Sandbox-Admin
source_profile = platform.prod

[platform.prod]
aws_access_key_id = XXXXXXXXXXXXXXXX ## YOUR ACCESS KEY ID
aws_secret_access_key = XXXXXXXXXXXXXXXX ## YOUR SECRET ACCESS KEY

Lastly, add an entry in the config for each profile, setting the region. File should look like below

[profile platform.dev]
region = eu-west-2
cli_pager=

[profile platform.uat]
region = eu-west-2
cli_pager=

[profile platform.sandbox]
region = eu-west-2
cli_pager=

[profile platform.prod]
region = eu-west-2
cli_pager=

You can then switch profiles and confirm by running this command again against a different environment.

aws --profile platform.dev sts get-caller-identity

Finally, when running the app locally, you'll just need to ensure you have your dev profile set.

export AWS_PROFILE=platform.dev
// then run app

If you've already installed the zsh aws plugin you run the command to switch into an evironment

asp <profile>
e.g.
asp platform.uat

Suggestions

  • zsh aws plugin If you use zsh - I recommend using this plugin to manage your AWS profiles and switching between them.
  • Fig terminal has very good autocomplete support for the AWS CLI which makes it easier to use and interact with AWS.