-
Notifications
You must be signed in to change notification settings - Fork 4
AWS accounts
This is a guide to the AWS accounts Notify uses and what they are for.
👉 Request a gds-users account from Reliability Engineering.
gds-users is the main account for all GDS AWS users. This user can assume any role (typically admin or readonly) on any of our AWS accounts.
Add the new account to our infra repo:
- https://github.com/alphagov/notifications-aws/pull/1398 - This PR doesn't add to Prod, SC clearance is needed for Prod access.
Get someone to apply the Terraform changes.
The gds-cli tool is recommended to easily switch between environments/roles.
👉 See https://github.com/alphagov/gds-cli for installation.
Once it's set up locally, you can use it to open a new tab logged in to your chosen aws environment. For example:
-
gds aws notify-tools-admin -lwill log in to the tools account -
gds aws notify-prod -lwill log in to production (read only)
Manually switch rules in AWS Web Console
Alternatively, you can sign in to gds-users at https://gds-users.signin.aws.amazon.com/console, and then go to the switch role screen https://signin.aws.amazon.com/switchrole, with:
- account being the environment you want to connect to (eg
notify-tools,notify-production) - role being either
adminorreadonly
You can also use GDS CLI to run local commands like Terraform and the AWS CLI, in the context of a particular account:
gds aws notify-tools-admin -- terraform plan
gds aws notify-tools-admin -- aws s3 lsnotify-tools is the environment your local apps will use when you're running locally to connect to SES/SQS/S3. You have a distinct user in this environment because normal, temporary access keys don't work well with local development.
-
Log in to your main Notify tools account:
gds aws notify-tools-admin -l -
Navigate to IAM, then Users
-
Find your new local development user.
-
Create an access key as above and save it to
~/.aws/credentials[default] aws_access_key_id=... aws_secret_access_key=...
-
Test it works by running
aws configure get aws_access_key_id