- Topic 0: Development Environment
-
Do NOT store AWS credentials in code repositories.
-
DO use the Cloud9 environment for all training work unless otherwise specified.
-
DO use the AWS documentation and user guides.
A reliable, repeatable process to create your development environment leads to a solution others can contribute to.
The following labs will prepare you to work through the Stelligent new hire training over the next 8 weeks. During the training you will be using AWS access keys for programmatic access to an AWS account, GitHub code repositories, and AWS Cloud9 for your development environment.
Add your AWS access key and secret key to your laptop. You will need to install the AWS CLI and then run some simple commands to confirm access using your keys:
Remember that the combination of an access key and a secret key are the same as user credentials and should not be given out or stored in a public location like a GitHub repository, nor should they be transmitted in an insecure manner like unencrypted email. Never commit credentials to a git repo.
- Enable MFA for your AWS account. With MFA enabled you will need to generate temporary credentials using your MFA device and STS. You can do this in a few ways. The first way would be to request the token from STS via the CLI.
aws sts get-session-token \
--serial-number arn:aws:iam::324320755747:mfa/USERNAME \
--token-code 123456` \
/This will return json containing the temporarily credentials.
"Credentials": {
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "AQoDYXdzEJr...<remainder of security token>",
"Expiration": "2018-10-11T10:09:50Z",
"AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
}
}Using these temporary credentials you will need to edit your .aws/credentials
file and change the security configuration for the profile to be used.
[temp]
output = json
region = us-east-1
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoDYXdzEJr...<remainder of security token>Now set AWS_PROFILE to temp in your env, or set the --profile flag to temp when running awscli. You should be able to access any of the resources you're authorized to in the labs account. These tokens will last approximately 12 hours before needing to be reset using the process above.
- Create a script to automate the gathering and assigning of the temporary AWS MFA credentials from Option 1.
- Try to reduce the amount of manual input as much as possible.
See refresh_access_token.py
What method did you use to store the aws credentials? What are some other options?
I used the credentials file. Environment variables or aws vault is also available for workstations. Otherwise, there's roles that can be attached to instances.
Which AWS environment variable cannot be set in order to run the
aws sts get-session-token command?
The AWS_SESSION_TOKEN variable
If you would rather not have to manually get STS tokens and add them to your credentials file you can use aws-vault.
Configure the profile that you would like to use using this command:
aws-vault add MY_PROFILE
If you accidentally setup aws-vault with a password that you forgot,
you can remove its database (rm -rf Library/Keychains/aws-vault.keychain-db)
and start over.
To use aws-vault for temporary credential management is simple. You need to add
the arn of your mfa token to your profiles config in ~/.aws/config like so:
[profile MY_PROFILE]
output = json
region = us-east-1
mfa_serial = arn:aws:iam::324320755747:mfa/USERNAMENow you can execute any command using aws-vault. Example:
aws-vault exec MY_PROFILE -- aws s3 ls
You want to set an alias in your .bashrc or .zshrc to something like this:
alias aws-myprofile="aws-vault exec MY_PROFILE -- aws"
- Create a new repository from the Stelligent-U repository template
- Select the owner of the repository
- Name the new private repository
- Generate ssh keys and test access. Use this GitHub guide to get access and clone the private repo to your laptop.
AWS Cloud 9 is a resource to quickly re-create a stock development environment accessible from almost anywhere in a browser. You can use the Cloud9 environment to work on the remainder of the Stelligent-U labs, but it is not required.
Create a new Cloud 9 environment in the region of your preference
(ie: us-east-1) in the AWS account using the AWS user guide.
Be sure to note the different options when setting up the environment,
but use the default options for this lab. In Cloud9, run the same AWS
CLI commands as you did in lab 0.1.1:
list-bucketsdescribe-instances
Work with your GitHub repo in your Cloud9 development environment. Start at step 3 of this user guide to configure the Cloud9 instance to work with GitHub.
-
Install git in Cloud9.
-
Clone the repository to your Cloud9 environment. To gain access to the repository try using either token authentication or an SSH key.
Running the two commands in lab 0.1.1 and lab 0.1.3 should have shown the same results. What does this tell you about the access the keys give you on your laptop and the access you have in the Cloud9 environment? What other methods are there to provide this level of access without using keys?
The keys are created with the same level of access. I could also create a role with the same access as my user and apply it to the cloud 9 instance.
Configure Cloud9 to work with the programming language you will be using to complete the training work. In your Cloud9 Editor, perform the following:
- Please choose either Ruby, Python, Go or NodeJS
- Create a new branch off master
- In the 00-dev-environment directory, develop a small "hello world!" application in that language
- Add the files to your new branch, commit them, and push the branch up to your forked repository
- Create a pull request from your branch to the master branch within your forked repository and merge after reviewing