Monday, 14 April 2014

Log into the AWS console with an IAM user

This is another in a series of videos that I am producing for my YouTube channel HowDoYouDoStuff.


In this video, I am going to show you how to log into the AWS console with an IAM user


You can read the transcript below.


HTML 5 Player



Transcript

How do you log into the AWS console with an IAM user?

Hi guys. I'm Phil Stirpe.

In this video, I am going to show you how to log into the AWS console with an IAM user.

When you 1st create an account with Amazon web services you have a single master account.

This account is associated with an email address and credit card number for billing purposes. Most importantly, it has full access to your AWS cloud. That is to say full access to every AWS service available in the AWS cloud.

Clearly that is a very powerful user account. In fact you should make very little use of it.

If you consider that a typical organisation that uses Amazon web services might employ tens or hundreds of developers, testers, database administrators and other admins, they can’t all use a single account.

The solution is to use the Identity and Access Management or IAM service to create users and groups to better manage your cloud.

In this video I want to show you how to create a user and then access the AWS console using that user account.

So the 1st thing I need to do is log into the AWS console with my root or master account.

This involves me entering the email address associated with the account and password.

Furthermore I have enabled my master account for multifactor authentication – MFA. This isn’t required but is considered best practice. You can either get an app for your smartphone or alternatively you can purchase gemalto token from Amazon and associate it with your account.

In this case I’m using a token which gives me a unique code to enter into the 2nd screen.

Now that I’m logged in I can switch to the IAM console in order to create a user account. If I click on the Users link I can create a new user. Let me create a user named George. Note that I’m offered the option to generate an access key. I’m not going to select that and I’ll explain why in a moment.

You need to decide when you create a user what type of credential you want to use to prove identity. For example you might be creating a user account to be used by an application. In that case you might choose an access key.

As this user is intended for a person to connect to the AWS console, I’m going to define a password. Note that you can also specify MFA for user accounts too. This is also considered best practice.

Now that created a user account and specify the password it’s time to show you how to login.

IAM users cannot use the same URL to connect to the AWS console. That is intended for master accounts. Instead the URL should reflect the master account with which the IAM user account is associated.

You can locate the desired URL in the lower left-hand corner of the IAM console. As you can see, it includes the account number associated with your master account. This URL can be issued to your users in the form of a desktop shortcut for example.

Watch what happens when I navigate to this URL in a new window. As you can see, the login window is different. This time the account number is displayed and there are additional fields for the username and password.

Let me login as George.

You can now see that I’m authenticated as George in the AWS console. But what about privileges?

Let me try and launch an EC2 instance.

As you can see I’m not authorised to perform this operation. In fact if you look back at the EC2 Dashboard, there are many things that I am not authorised to do. By default IAM users have no privileges. Privileges must be assigned to IAM users or groups that IAM users are members of.

That will be the subject of a later video.

There you have it.

In this video, I have shown you how easy it is to log into the AWS console with an IAM user.

Thanks for watching and please feel free to comment on my blog (www.philipstirpe.com) and Facebook page (www.facebook.com/philip.stirpe.tutorials). Perhaps you could suggest more video topics? Most of all, don't forget to subscribe to keep up with my videos as I release them.

Bye for now.






Flash Player








See you soon

Phil Stirpé
"I don't do average!"






Monday, 7 April 2014

Use an IAM role to authorise code executing in EC2 instances

This is another in a series of videos that I am producing for my YouTube channel HowDoYouDoStuff.


In this video, I am going to show you how to use an IAM role to authorise code executing in EC2 instances


You can read the transcript below.


HTML 5 Player



Transcript

Hi guys. I’m Phil Stirpe.

In this video, I am going to show you how easy it is to use an IAM role to authorise code executing in EC2 instances.

If you have any EC2 instances running in the AWS cloud, it is highly likely that any code running in them will need access to various AWS services from time to time.

For example you might have an application that must read or write files to or from S3. For that they will need authorisation.

In order to authorise an application or person to access an AWS service, you should 1st create an IAM user account and then assign it a security policy. The problem comes when you need to pass the credentials from an application to the relevant service.

A common mistake is to hardcode these credentials into the application. As you can see, that is what I have done with this user data script. Although this script executes perfectly well (in fact you may have seen it executed in an earlier video) it isn’t secure.

For a start, you may inadvertently disclose the credentials by creating a video demo like this one and showing it on YouTube. More likely you might store your code in a repository such as Git not realising it contained your credentials. The solution is to use IAM roles.

IAM roles are not groups of users. Rather they are entities to which you can assign security policies, and that applications or instances can assume.

Let me show you this other user data script which I wish to pass to an instance. As you can see it does not contain any credentials unlike the other script. Unless the code executes in a context that has permission to access buckets in S3, it will fail. That’s where IAM roles come in.

If I connect to the IAM dashboard, you will see that I have created a role called BootstrapRole. As you can see, I have assigned this role an off-the-shelf security policy which grants it read only access to S3. Any instance that I assign this role to will have the same permissions.

So let’s see that role in action. As with my previous video I’m going to launch an EC2 instance and pass it a user data script.

I am choosing Windows as my script is a Powershell script. I’ll select an m1.medium and then click Configure Instance Details. From there I can expand Advanced Details and then select the file to upload as user data.

I’ll select the script that does not contain credentials and so before I launch I need to select an IAM role to assign to the instance. Any code running in this instance will have whatever privileges are granted in the security policy assigned to that role.

Let me review and launch. Once I’ve selected my key pair the instance will launch.

I will now need to wait a few minutes for the instance to launch and the scripts to execute.

[15 minutes later …]

The instance has now had time to launch and run the bootstrap script. In addition, because this is a Windows server we needed to leave time for the Administrator password to be generated. This is only necessary when you initially launch an instance. It is not required when starting an instance following a shut down.

Let me try connect to the server. I need to pick my key file in order to decrypt the administrator password.

Now that I have the password, I’m going to download the remote desktop file.

I’ll click on that file to open a remote desktop connection and then enter the password that I retrieved earlier.

Once I connect to the server, I’m looking for evidence my user data script executed. That script should have downloaded installers from S3 for Chef Solo which was then going to use a cookbook to install tools such as Notepad++.

As you can see I’ve a number of folders such as chef and opscode. There are also 2 text files. These were created by my script which also installed Chef Solo. The installer for Chef Solo was downloaded from an S3 bucket. Proving that the script had access to S3 due to the instance being assigned an appropriate IAM role.

There you have it.

In this video, I have shown you how easy it is to use an IAM role to authorise code executing in EC2 instances.

Thanks for watching and please feel free to comment on my blog (www.philipstirpe.com) and Facebook page (www.facebook.com/philip.stirpe.tutorials). Perhaps you could suggest more video topics? Most of all, don’t forget to subscribe to keep up with my videos as I release them.

Bye for now.





Flash Player








See you soon

Phil Stirpé
"I don't do average!"






Bootstrap EC2 instances with userdata from the AWS Console

This is another in a series of videos that I am producing for my YouTube channel HowDoYouDoStuff.


In this video, I am going to show you how to bootstrap EC2 instances with userdata from the AWS Console.


You can read the transcript below.


HTML 5 Player



Transcript

Hi guys. I'm Phil Stirpe.

In this video, I am going to show you how easy it is to bootstrap EC2 instances with user-data from the AWS Console.

Bootstrapping is an important aspect of provisioning instances in the cloud.

If you want to implement a truly elastic set of assets allowing you to bring up or discard servers at a moment’s notice, you need to be able to configure an instance at start-up.

This might involve installing some software at initial boot or configuring the machine to behave in a desired manner.

To bootstrap an EC2 instance in Amazon web services, you need to pass it user data at launch time.

User data can be up to 16 kB of data and typically takes the form of a script.

When you launch an EC2 instance it will be based upon an Amazon Machine Image or AMI.

These are typically LINUX or Windows server images. Although you can create any custom type that you wish.

If you choose an off-the-shelf AMI created by Amazon, it will contain one of 2 services. Cloud-Init for LINUX or EC2-Config for Windows.

These services run during the initial boot and check for any user data that you may have passed to the instance.

If your user data can be parsed as a valid script then it will be executed. If not it is ignored.

This is an example of a script we might pass to a Linux machine. It is a bash script that we could pass as user data. It would execute as the server was loading.

This is an example power shell script that we might pass to Windows server to bootstrap that.

Let’s look at the mechanics for passing user data to a launching instance.

I’m going to launch a Windows server as I have a useful power shell script that I can use here.

Rather than launch a micro, I’m going to choose a general-purpose m1.medium as my instance type.

I am now going to click on the Configure Instance Details button. There are a number of options that I can select here but the only one that I want is user data which is buried down in Advanced Details.

Now it is in this box that I can enter my script. Be it a power shell script or a bash script. But rather than enter it directly, I could choose it from a file.

So let me just click this button and then select this file and click Open.

Now you can’t actually see the contents of the script here, so I’ll just open it up in Notepad++ for you to take a look at.

This script downloads a number of files from an S3 bucket including a Chef Solo installer, installers for the likes of Notepad++ and a cookbook.

Once it has downloaded these assets and installed Chef Solo, it leaves Chef Solo to perform the rest of the installation.

So I will now click Review and Launch. I am happy with all of the details so I can go ahead and click on Launch and select my key pair.

Now this will take a couple of minutes to boot and then allow the user data script chance to run, so I will wait for a couple of minutes before trying to connect to the server.

[15 minutes later….]

Okay I have left it 15 minutes or so to give Chef Solo time to install all of the assets. Furthermore, when launching Windows servers for the 1st time you need to wait several minutes in order for the administrator password to be generated.

So I click the Connect button and then attempt to retrieve password. That’s fine. If the administrator password hadn’t been generated yet, I would have received a warning telling me that the password wasn’t ready yet.

I now need to pick the key file that I used when launching the server. This will allow me to decrypt the administrator password.

I need this password in order to connect to the remote server. So I will copy the password and then download the remote desktop file which I can use to connect to the server.

If I click on the Remote Desktop file, a dialog appears prompting me for the Administrator password. So I will enter the password that I copied earlier.

When I connect to this remote machine, I am expecting to see all of the assets that have been downloaded from S3 and that the installers have executed.

If I open up Windows Explorer, you will see that the root of C: contains some non-standard folders. For example a folder named Chef and a folder named opscode. There are also a couple of files that were generated by my script.

We can see that my script downloaded a number of assets and placed them in a folder called Chef. It then installed Chef Solo.

As my script was running, it was writing to this bootstrap file.

So this proves that my power shell script passed as user data was parsed by EC2-Config and executed at the launch of the server.

There is one last thing I would like to show you. Perhaps you would like to bootstrap your server but power shell scripts or bash scripts are not appropriate.

Perhaps you would like to implement some kind of business logic. For example, when this server launches I wanted to act as a video encoder or perhaps even an image thumbnailer.

In this situation I simply need to pass the server a code such as the number 1 or 2. Perhaps I might pass the words “video encoder” or “image thumbnailer” instead?

Then within the instance I may have a service of my own running which could look for this URL: http://169.254.169.254/latest/user-data

This URL is consistent for all instances.

You could use this URL to access user data passed into the launching instance and then act accordingly.

There you have it.

In this video, I have shown you how easy it is to bootstrap EC2 instances with user-data from the AWS Console.

Thanks for watching and please feel free to comment on my blog (www.philipstirpe.com) and Facebook page (www.facebook.com/philip.stirpe.tutorials). Perhaps you could suggest more video topics? Most of all, don't forget to subscribe to keep up with my videos as I release them.

Bye for now.



Flash Player








See you soon

Phil Stirpé
"I don't do average!"