date | comment |
---|---|
2021/08/23 | Reviewed. No change. |
2017/12/01 | Created |
This page attempts to explain things in Bridge server setup that is not included in the REAME of the individual repos.
Repos:
Most things regarding the repo is explained in the repo's REAME file.
Bridge has two AWS accounts a dev (4207-8677-6710) and a prod (6492-3225-0620) account. The purpose of having two accounts is to allow us to isolate our production environment. We deploy apps to our aws dev account when code is committed to develop and uat branches. When code is merged to prod branch it gets correspondingly deployed to the aws prod account. We deploy to the accounts with the same code therefore both accounts should be identical.
We have eliminated the Admins group, there is no user that has admin privileges by default. Instead there is an Admin Role which trusted users are allowed to assume. View the CF template for the list of trusted users.
Every account that has console access is required to setup MFA otherwise they will not have access to view any AWS resources. The first thing you need to do when given an AWS account is to reset your password and setup MFA.
When you use the AWS CLI you must also authenticate with MFA. There's a few ways to go about this but I've found that using awsmfa tool is probably the easiest way to get the aws_session_token. It's pretty straight forward just install and follow the instructions.
add profile to ~/.aws/credentials file:
[default] region = us-east-1 [bridge.prod.joe] aws_access_key_id = ... aws_secret_access_key = ... |
run command to get aws_session_token
awsmfa --identity-profile bridge.prod.joe --target-profile joe@bridgeprod --token $YOUR_MFA_CODE |
which will create a new profile called joe@bridgeprod in ~/.aws/credentials file with the aws_session_token
now you can use joe@bridgeprod profile for your aws command
aws --profile joe@bridgeprod --region us-east-1 s3 ls s3://org.sagebridge.bridgepf.deploy/ or awslogs get --profile joe@bridgeprod --aws-region us-east-1 /aws/elasticbeanstalk/bridgepf-develop/var/log/web-1.log ALL --start='1h ago'|grep -i 'ERROR' |
For security reasons changes to IAM is restricted even to power users. If you need to make IAM changes you will need to be vetted then added to the trusted user list. Once you are a trusted user you will need to assume the Admin Role to make changes. Instructions to setup assume role.
Setup ~/.aws/config file
[default] region = us-east-1 [profile bridge.prod.admin] role_arn = arn:aws:iam::649232250620:role/bridge-AWSIAMAdminRole-OPL793UBV57T mfa_serial = arn:aws:iam::649232250620:mfa/joe@sagebase.org source_profile = bridge.prod.joe |
NOTE- source_profile needs to match the profile in ~/.aws/credentials file
now you can assume the admin role to do stuff
aws --profile bridge.prod.admin iam list-groups |
We have setup a service account for testing. It's called "bridgepf-develop-AWSIAMBridgepfLocalServiceUser-1DC352B9NX54V", you can find the key and secret key for it in Lastpass.
We have setup a Travis service account for deployments. It's called "bootstrap-AWSIAMTravisUser-1WXNQ7I3FLHEI", you can find the key and secret key for it in Lastpass.
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
|