Skip to main content

Accessing the AWS console (read-only)

The Cloud Platform provides read-only access to the AWS console to help you visualise resources and debug ancillary services (such as S3, RDS, etc.) without needing to use the AWS Command Line Interface (CLI).

You can login to the AWS console to view your resources in eu-west-2 (London).

Prerequisites

GitHub

To access the AWS console, you will need to:

  • be part of the ministryofjustice GitHub organisation
  • be part of the correct GitHub team(s) for your service

The Connecting to the Cloud Platform’s Kubernetes cluster includes how to do this:

Tagging your resources

To be able to view your resources, you need to ensure they are tagged correctly.

You need to tag your resources with a GithubTeam key and your GitHub team slug as the value.

Tagging all of your namespace resources

To tag all of your resources:

  • find the resources directory for your namespace in cloud-platform-environments
  • update the provider declaration(s) in main.tf to use default_tags, setting the GithubTeam key and your GitHub team slug as the value

For example, in main.tf, to allow resources to be visible to the hmpps-interventions GitHub team:

provider "aws" {
  region = "eu-west-2"

  default_tags {
    tags = {
      GithubTeam = "hmpps-interventions"
    }
  }
}

Tagging a singular resource

To tag a singular resource:

  • find the resources directory for your namespace in cloud-platform-environments
  • tag each resource you want to be visible with the GithubTeam key and your GitHub team slug as the value

For example, to tag a resource to allow it to be visible to the laa-apply-for-legal-aid GitHub team:

resource "aws_api_gateway_rest_api" "this" {
  ...

  tags = {
    GithubTeam = "laa-apply-for-legal-aid"
  }
}

Tagging a module

This method isn’t currently supported, but will be in the future. It is recommended you tag all of your namespace resources as default_tags are inherited by modules.

Login to the AWS console

After you’ve configured the prerequisites, you can login to the AWS console.

Ensure you select the eu-west-2 (London) region otherwise you won’t be able to view anything.

Understanding the authentication workflow

The Auth0 application that authenticates you will add a PrincipalTag key storing all of the GitHub teams your user is a member of. This is stored as a simple colon (:) separated string, which is matched against a resource’s GithubTeam ResourceTag to allow you to view it.

You can view the source-code for the implementation in the cloud-platform-terraform-sso repository.

Caveats

Cloud Platform

  • Access to the AWS console has been designed, and will remain, as read-only. This is to ensure all of your resources are defined as infrastructure-as-code.

  • Not all Cloud Platform Terraform modules currently support setting the GithubTeam tag.

  • IAM policies for read-only access are currently a work in progress. We currently support:

    • Identity and Access Management (IAM)
    • Relational Database Service (RDS)
    • Simple Notification Service (SNS)
    • Simple Queue Service (SQS)
    • Simple Storage Service (S3)
    • Virtual Private Cloud (VPC)

AWS

  • Not all AWS resources support attribute-based access control. You can find out which resources AWS supports by checking the “Authorization based on tags” column in AWS services that work with IAM.

Feedback

Please reach out in #ask-cloud-platform if you have feedback.

This page was last reviewed on 14 November 2022. It needs to be reviewed again on 14 February 2023 .
This page was set to be reviewed before 14 February 2023. This might mean the content is out of date.