Provisioning through Service Catalog is in Beta as of 2020-05-28.

The following provides instructions on how to log on to the AWS scipoolprod account using your synapse credentials, and how to use the products provided in the AWS Service Catalog to setup or modify EC2 instances and S3 buckets.

...

Note: Service Catalog products, discussed below, are owned by the Synapse account under which you log in. Once created, products will appear in the console only when logged in to that account, which will have sole ability to update or remove the product. Products like S3 buckets may have a life cycle beyond the project participation of any single person. To support such a case you may create and use a so-called service account in Synapse (i.e., an account meant for automation that may outlive one person’s commitment to a project). If so, then to meet regulatory requirements the credentials for the service account must place in a secure store whose access is limited and can be reviewed. Guidelines for Synapse service accounts are posted here /wiki/spaces/IT/pages/1200816129.

Service Catalog Introduction

...

The AWS SSM allows direct access to private instances from your own computer terminal. To setup access with the AWS SSM we need to create a special Synapse personal access token (PAT) that will work with the Sage Service Catalog. This is special PAT that can only be created using this workflow, creating a PAT from the Synapse personal token manager web page will NOT work.

1. Request a Synapse PAT by opening https://sc.sageit.org/personalaccesstoken (You may need to login to Synapse). If you have already created a PAT through this mechanism and are repeating the process you must first visit the token management page in Synapse and delete the existing one with the same name.

2. After logging into Synapse a file containing the PAT, which is a long character string (i.e. eyJ0eXAiOiJ...Z8t9Eg), is returned to you. Save the file to your local machine and note the location where you saved it to then close the browser session.

...

When running apps in the instance you may want to run the apps on specific ports. The AWS SSM allows you to expose those ports to your local computer using a technique called port forwarding. Here’s an example of how to enable port forwarding to an application.

1. Setup profile for SSM access

2. Run an application on the EC2 (i.e. docker run -p 80:80 httpd)To provide access to that app an SC user can use the port forwarding feature to gain access to the app by running the AWS SSM CLI command

   Code Block

...

1. [ec2-user@ip-10-49-26-50 ~]$ docker run -p 80:80 httpd Unable to find image 'httpd:latest' locally latest: Pulling from library/httpd 33847f680f63: Pull complete d74938eee980: Pull complete 963cfdce5a0c: Pull complete 8d5a3cca778c: Pull complete e06a573b193b: Pull complete Digest: sha256:71a3a8e0572f18a6ce71b9bac7298d07e151e4a1b562d399779b86fef7cf580c Status: Downloaded newer image for httpd:latest AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Thu Jul 22 23:54:12.106344 2021] [mpm_event:notice] [pid 1:tid 140706544895104] AH00489: Apache/2.4.48 (Unix) configured -- resuming normal operations [Thu Jul 22 23:54:12.107307 2021] [core:notice] [pid 1:tid 140706544895104] AH00094: Command line: 'httpd -D FOREGROUND'

2. To provide access to that app an SC user can use the port forwarding feature to gain access to the app by running the AWS SSM CLI command

   Code Block
   aws ssm start-session --profile service-catalog \ --target i-0fd5c9ff0ef675ceb \ --document-name AWS-StartPortForwardingSession \ --parameters '{"portNumber":["80"],"localPortNumber":["9090"]}'

3. Now you should be able to access that app on your local machine at http://localhost:9090 

Connecting to Windows Instances

...

Connecting to the Windows instance’s shell is similar to accessing a linux instance’s shell. Just follow instructions in SSM access to an Instance.

Connect to Windows desktop

...

1. Connect to the Windows shell.

2. Create a new user and and it to the “Administrators” group

   Code Block
   $Password = ConvertTo-SecureString "P@ssW0rD!" -AsPlainText -Force New-LocalUser "admin" -Password $Password Add-LocalGroupMember -Group "Administrators" -Member "admin"

3. Follow the SSM access to applications instructions to setup port forwarding to windows RDP

   Code Block
   aws ssm start-session --profile service-catalog \ --target i-0fd5c9ff0ef675ceb \ --document-name AWS-StartPortForwardingSession \ --parameters '{"portNumber":["3389"],"localPortNumber":["3389"]}'

4. Install the Microsoft Remote Desktop client on your computer.

   1. Click “+” to add a new PC. In the “PC Name” field, enter “localhost”. 

5. Log in with username “admin” and password "P@ssW0rD!"

   

...

Using the update action allows you to change parameters or update to a new version of the product. WARNING: changes to configuration parameters usually result in a recreation (“replacement”) of the instance, any data saved on the instance will be lost, and the nature of the update by Amazon is difficult to predict. We recommend that you save any important data to S3, provision a new instance and terminate the original.

Terminate

The terminate action deletes the instance permanently.

...

Sage internal users can authenticate through Jumpcloud and aws-saml as described here /wiki/spaces/IT/pages/405864455, then use an ARN constructed in this way: arn:aws:sts::<account_number>:assumed-role/<role_name>/<email_prefix>@sagebase.org. For example, if I authenticate as a “sandbox developer” and I am Jane Doe, the ARN looks like this: arn:aws:sts::563295687221:assumed-role/sandbox-developer/jane.doe@sagebase.org.

...

The final three screens of the wizard are the same as in Creating an EC2 Instance above.

Using an S3 Bucket

As with EC2 products, once provisioning is complete your S3 product will appear in the “Provisioned Products” list, showing status Available. Select “Provisioned Product Details” from the navigation panel on the left, and click on your product. A product that has a “Succeeded” event will have outputs that include a “BucketUrl” link. With the Synapse Bucket, you can also use one of the synapse clients to push and pull data. In order to complete the setup of the Synapse Bucket, you must manually complete the final step of setting the S3 bucket as a Synapse upload location.

...

There is a short idle timeout on the SSM sessions started in the browser by clicking on the EC2 ConnectionURI link as described above. This will happen if you don't actively use the session for twelve minutes or more. The session in a browser is designed to allow quick access to EC2 instances. If you prefer longer sessions then we recommend that you setup command line SSM access to an instance.

Frequently Asked Questions

...