Accessing the AWS console (read-only)
The Cloud Platform provides read-only access to the AWS console to help you visualise resources and debug ancillary services (such as S3, RDS, etc.) without needing to use the AWS Command Line Interface (CLI).
You can login to the AWS console to view your resources in eu-west-2 (London).
Prerequisites
GitHub
To access the AWS console, you will need to:
- be part of the
ministryofjusticeGitHub organisation - be part of the correct GitHub team(s) for your service
The Connecting to the Cloud Platform’s Kubernetes cluster includes how to do this:
Tagging your resources
To be able to view your resources, you need to ensure they are tagged correctly.
You need to tag your resources with a GithubTeam key and your GitHub team slug as the value. Please note, changing the github team name through var.team_name in variables.tf will cause a resource recreation (deletion followed by creation), so make sure to check the terraform plan when changing this value.
Tagging all of your namespace resources
To tag all of your resources:
- find the
resourcesdirectory for your namespace in cloud-platform-environments - update the provider declaration(s) in
main.tfto usedefault_tags, setting theGithubTeamkey and your GitHub team slug as the value
For example, in main.tf, to allow resources to be visible to the hmpps-interventions GitHub team:
provider "aws" {
region = "eu-west-2"
default_tags {
tags = {
GithubTeam = "hmpps-interventions"
}
}
}
Tagging a singular resource
To tag a singular resource:
- find the
resourcesdirectory for your namespace in cloud-platform-environments - tag each resource you want to be visible with the
GithubTeamkey and your GitHub team slug as the value
For example, to tag a resource to allow it to be visible to the laa-apply-for-legal-aid GitHub team:
resource "aws_api_gateway_rest_api" "this" {
...
tags = {
GithubTeam = "laa-apply-for-legal-aid"
}
}
Tagging a module
This method isn’t currently supported, but will be in the future. It is recommended you tag all of your namespace resources as
default_tagsare inherited by modules.
Login to the AWS console
After you’ve configured the prerequisites, you can login to the AWS console.
Ensure you select the
eu-west-2 (London)region otherwise you won’t be able to view anything.
Understanding the authentication workflow
The Auth0 application that authenticates you will add a PrincipalTag key storing all of the GitHub teams your user is a member of. This is stored as a simple colon (:) separated string, which is matched against a resource’s GithubTeam ResourceTag to allow you to view it.
You can view the source-code for the implementation in the cloud-platform-terraform-sso repository.
Caveats
Cloud Platform
Access to the AWS console has been designed, and will remain, as read-only. This is to ensure all of your resources are defined as infrastructure-as-code.
Not all Cloud Platform Terraform modules currently support setting the
GithubTeamtag.IAM policies for read-only access are currently a work in progress. We currently support:
- Amazon Bedrock
- APIGateway
- CloudWatch Metrics
- CloudWatch Logs
- ElastiCache
- Identity and Access Management (IAM)
- OpenSearchService
- Relational Database Service (RDS)
- Secrets Manager
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- Simple Storage Service (S3)
- Virtual Private Cloud (VPC)
AWS
- Not all AWS resources support attribute-based access control. You can find out which resources AWS supports by checking the “Authorization based on tags” column in AWS services that work with IAM.
Known issues
- Due to character limit constraints on session tags for attribute based SSO access to the console, some Cloud Platform users have encountered the following error on login:
Unable to validate tags (Service: AWSSecurityToken; Status Code: 400; Error Code: ValidationError; Request ID: ****; Proxy: null). Please try again.
This issue is covered in our Cloud Platform runbooks here.
Feedback
Please reach out in #ask-cloud-platform if you have feedback.