Skip to main content

Accessing the AWS console (read-only)

The Cloud Platform provides read-only access to the AWS console to help you visualise resources and debug ancillary services (such as S3, RDS, etc.) without needing to use the AWS Command Line Interface (CLI).

You can login to the AWS console to view your resources in eu-west-2 (London).



To access the AWS console, you will need to:

  • be part of the ministryofjustice GitHub organisation
  • be part of the correct GitHub team(s) for your service

The Connecting to the Cloud Platform’s Kubernetes cluster includes how to do this:

Tagging your resources

To be able to view your resources, you need to ensure they are tagged correctly.

You need to tag your resources with a GithubTeam key and your GitHub team slug as the value. Please note, changing the github team name through var.team_name in will cause a resource recreation (deletion followed by creation), so make sure to check the terraform plan when changing this value.

Tagging all of your namespace resources

To tag all of your resources:

  • find the resources directory for your namespace in cloud-platform-environments
  • update the provider declaration(s) in to use default_tags, setting the GithubTeam key and your GitHub team slug as the value

For example, in, to allow resources to be visible to the hmpps-interventions GitHub team:

provider "aws" {
  region = "eu-west-2"

  default_tags {
    tags = {
      GithubTeam = "hmpps-interventions"

Tagging a singular resource

To tag a singular resource:

  • find the resources directory for your namespace in cloud-platform-environments
  • tag each resource you want to be visible with the GithubTeam key and your GitHub team slug as the value

For example, to tag a resource to allow it to be visible to the laa-apply-for-legal-aid GitHub team:

resource "aws_api_gateway_rest_api" "this" {

  tags = {
    GithubTeam = "laa-apply-for-legal-aid"

Tagging a module

This method isn’t currently supported, but will be in the future. It is recommended you tag all of your namespace resources as default_tags are inherited by modules.

Login to the AWS console

After you’ve configured the prerequisites, you can login to the AWS console.

Ensure you select the eu-west-2 (London) region otherwise you won’t be able to view anything.

Understanding the authentication workflow

The Auth0 application that authenticates you will add a PrincipalTag key storing all of the GitHub teams your user is a member of. This is stored as a simple colon (:) separated string, which is matched against a resource’s GithubTeam ResourceTag to allow you to view it.

You can view the source-code for the implementation in the cloud-platform-terraform-sso repository.


Cloud Platform

  • Access to the AWS console has been designed, and will remain, as read-only. This is to ensure all of your resources are defined as infrastructure-as-code.

  • Not all Cloud Platform Terraform modules currently support setting the GithubTeam tag.

  • IAM policies for read-only access are currently a work in progress. We currently support:

    • APIGateway
    • CloudWatch Metrics
    • CloudWatch Logs
    • ElastiCache
    • Identity and Access Management (IAM)
    • OpenSearchService
    • Relational Database Service (RDS)
    • Secrets Manager
    • Simple Notification Service (SNS)
    • Simple Queue Service (SQS)
    • Simple Storage Service (S3)
    • Virtual Private Cloud (VPC)


  • Not all AWS resources support attribute-based access control. You can find out which resources AWS supports by checking the “Authorization based on tags” column in AWS services that work with IAM.

Known issues

  • Due to character limit constraints on session tags for attribute based SSO access to the console, some Cloud Platform users have encountered the following error on login:
Unable to validate tags (Service: AWSSecurityToken; Status Code: 400; Error Code: ValidationError; Request ID: ****; Proxy: null). Please try again.

This issue is covered in our Cloud Platform runbooks here.


Please reach out in #ask-cloud-platform if you have feedback.

This page was last reviewed on 16 February 2024. It needs to be reviewed again on 16 May 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 16 May 2024 by the page owner #cloud-platform. This might mean the content is out of date.