Versions Compared

Old Version 91

changes.mady.by.user Khai Do

Saved on

compared with

New Version 92

changes.mady.by.user Khai Do

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Provisioning through Service Catalog is in Beta as of 2020-05-28.

The following provides instructions on how to log on to the AWS scipoolprod account using your synapse credentials, and how to use the products provided in the AWS Service Catalog to setup or modify EC2 instances and S3 buckets.

...

The AWS SSM allows direct access to private instances from your own computer terminal. To setup access with the AWS SSM we need to create a special Synapse personal access token (PAT) that will work with the Sage Service Catalog. This is special PAT that can only be created using this workflow, creating a PAT from the Synapse personal token manager web page will NOT work.

  1. Request a Synapse PAT by opening https://sc.sageit.org/personalaccesstoken (You may need to login to Synapse). If you have already created a PAT through this mechanism and are repeating the process you must first visit the token management page in Synapse and delete the existing one with the same name.

  2. After logging into Synapse a file containing the PAT, which is a long character string (i.e. eyJ0eXAiOiJ...Z8t9Eg), is returned to you. Save the file to your local machine and note the location where you saved it to then close the browser session.

Note: You At this point you can verify that the PAT for the Service Catalog was successfully created by viewing the Synapse token management page. When the PAT expires you will need to repeat these steps to create a new PAT. The PAT should look something like this

...

SSM access to an Instance

...

  1. Install the AWS CLI version 2 (SSM access will not work with ver 1.x)

  2. Install SSM session manager plugin

  3. Create a synapse credentials script.

    Linux/Mac: synapse_creds.sh with content below. Add the execute permission to the synapse_creds.sh file (i.e. chmod +x synapse_creds.sh)

    Code Block
    #!/usr/bin/env bash

# Inputs
SC_ENDPOINT=$1   # i.e. https://sc.sageit.org
SYNAPSE_PAT=$2   # The Synapse Personal Access Token

# Endpoints
STS_TOKEN_ENDPOINT="${SC_ENDPOINT}/ststoken"

# Get Credentials
AWS_STS_CREDS=$(curl --location-trusted --silent -H "Authorization:Bearer ${SYNAPSE_PAT}"  ${STS_TOKEN_ENDPOINT})

echo ${AWS_STS_CREDS}


    Windows: synapse_creds.bat with content below.

    Code Block
    @ECHO OFF

REM Inputs
REM %~1 The SC endpoint i.e. https://sc.sageit.org
REM %~2 The Synapse Personal Access Token
REM Use inputs to get credentials
for /f %%i in ('curl --location-trusted --silent -H "Authorization:Bearer %~2"  "%~1/ststoken"') do set AWS_STS_CREDS=%%i

ECHO %AWS_STS_CREDS%

  4. Open the file containing the Synapse PAT and copy the long character string (i.e. eyJ0eXAiOiJ...Z8t9Eg).

  5. Add the following to your ~/.aws/config file, replacing <PERSONAL_ACCESS_TOKEN> with the PAT you saved and downloaded then set the /absolute/path/to/synapse_creds.sh to the location of the synapse_creds.sh or synapse_creds.bat file.

    Code Block
    [profile service-catalog]
region=us-east-1 
credential_process = "/absolute/path/to/synapse_creds.sh" "https://sc.sageit.org" "<PERSONAL_ACCESS_TOKEN>"

  6. Goto the service catalog provisioned product page → click on your provisioned instance → get instance ID.

  7. Run the SSM start-session command to access the instance. Note: Windows users should do this in command prompt. In the following example the ID from the previous step is i-0fd5c9ff0ef675ceb.

    Code Block
    ➜ aws ssm start-session --profile service-catalog \
                        --target i-0fd5c9ff0ef675ceb

Starting session with SessionId: 3377358-0cab70190f97fcf78
sh-4.2$

...

  • If you encounter errors try running the AWS start-session command with the --debug option.

  • If you use an invalid personal access token you will get an error likesimilar to this

    Code Block
    ➜ aws ssm start-session --profile service-catalog \
                        --target i-0fd5c9ff0ef675ceb

Expecting value: line 1 column 1 (char 0)

    To check whether your token is valid run the following command

    Code Block
    ➜ curl -I --location-trusted \
      -H Authorization:"Bearer ${SYNAPSE_PAT}" https://sc.sageit.org/ststoken

    If the HTTP response status is 2xx then the PAT is valid. If the PAT is invalid the response will be 4xx

  • If continue to have similar errors to Expecting value: line X column X (char X) then it could mean that either your synapse_creds.sh file is invalid. Try verifying your synapse_creds.sh script independently of the AWS command by executing just the script. A successful execution should return a valid json and look something like this

    Code Block
    ➜ ~/synapse_creds.sh "https://sc.sageit.org" "eyJ0eXAiO...2GLQg"
{"SessionToken":"FwoGZXIvYXdzEN7//////////wEaDP2imuwAK+...13GnBrJc9SlOW6uY=","Version":1,"AccessKeyId":"XXXXXXX","SecretAccessKey":"XXXXXXXXXXXXXXXX","Expiration":"2021-07-21T22:02:17Z"}

  • Another problem could be that your ~/.aws/config file is invalid. For debugging we recommend backing up your current config file and creating a new one with just the one service-catalog profile in it and then try re-running the start-session command.

...

  1. Setup profile for SSM access

  2. Run an application on the EC2 (i.e. docker run -p 80:80 httpd)

  3. To provide access to that app an SC user can use the port forwarding feature to gain access to the app by running the AWS SSM CLI command

...

Using the update action allows you to change parameters or update to a new version of the product. WARNING: changes to configuration parameters usually result in a recreation (“replacement”) of the instance, any data saved on the instance will be lost, and the nature of the update by Amazon is difficult to predict. We recommend that you save any important data to S3, provision a new instance and terminate the original.

Terminate

The terminate action deletes the instance permanently.

...