Linaro has an AWS account to run various workloads in the Amazon cloud.

For Linaro EC2 developers

You can request an IAM user account (AWSAccessKeyId and AWSSecretKey) by mailing EC2 at linaro.org.

Good resource to get started with Ubuntu in EC2: https://help.ubuntu.com/community/EC2StartersGuide

Get your user name, AWSAccessKeyId and AWSSecretKey and save them in a ~/linaro-aws-account-key file containing something like:

    AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
    AWSSecretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY

Create a X.509 certificate (needed for EC2 actions) with openssl:

    openssl genrsa -out ~/private-key.pem 4096
    # valid 10 years
    openssl req -new -x509 -sha1 -days 3750 -key private-key.pem -out ~/cert.pem

Supposedly, these certificates could be downloaded from the Amazon web UI, but that doesn't work.

Associate your certificate with your IAM user, e.g. here for an user named lool:

    iam-useraddcert --aws-credential-file ~/linaro-aws-account-key -f ~/cert.pem -u lool

(you can find iam-useraddcert in the iamcli package or get it from http://docs.amazonwebservices.com/IAM/latest/CLIReference/)

Setup your environment:

    export EC2_CERT=~/cert.pem
    export EC2_PRIVATE_KEY=~/private-key.pem

Add your SSH key as a keypair, with some friendly name (here lool@bee):

    ec2ikey lool@bee -f ~/.ssh/id_rsa.pub

(you can find ec2ikey is the ec2-api-tools package; note that on Lucid you need the version from backports)

Start an instance of Ubuntu 10.10 with your keypair:

    ec2-run-instances ami-08f40561 --instance-type m1.large -k lool@bee

SSH into the instance returned above:

    ssh ubuntu@ec2-75-101-185-141.compute-1.amazonaws.com

Note that each instance may have a different public IP. Assuming you have set an IAM password you may signin at https://linaro.signin.aws.amazon.com/console/ec2 to access the AWS management console and self-discover those public IPs (as well as other interesting information).

For Linaro EC2 admins

Setting up the tools

You need a JVM, e.g. openjdk-6-jre-headless, to use the tools.

    export JAVA_HOME=/usr/lib/jvm/java-6-openjdk
    export AWS_IAM_HOME=/where/you/unpacked/iam/tools

Add IAM tools to PATH

    export PATH=$PATH:$AWS_IAM_HOME/bin

Create a ~/linaro-aws-account-key private file with the EC2 at linaro.org AWS credentials (access key ID and secret access key) with something like:

    AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
    AWSSecretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY

(These are available from http://aws.amazon.com/ then Account then Security Credentials, or Philip Colmer can provide them)

Creating an IAM group

    iam-groupcreate --aws-credential-file ~/linaro-aws-account-key -g admins -v

Output:

    arnarn:aws:iam::000000000000:group/admins
   AG...................

Grants permissions to the group (applies to anybody in that group); create a policy file ~/linaro-admins-policy.json:

    {
       "Statement":[{
          "Effect":"Allow",
          "Action":"*",
          "Resource":"*"
          }
       ]
    }

/!\ above grants all permissions!

Then run the command below to create a policy named admins-policy on that group:

    iam-groupuploadpolicy --aws-credential-file ~/linaro-aws-account-key -g admins -p admins-policy -f ~/linaro-admins-policy.json

Creating an IAM account

Create an user named lool in the admins group and a key:

    iam-usercreate --aws-credential-file ~/linaro-aws-account-key -u lool -g admins -k -v

Save the output and send it to the new user via a secure channel, pointing at this wiki page.

Add the user to any other additional group, e.g. here user lool is added to devs group:

    iam-groupadduser --aws-credential-file ~/linaro-aws-account-key -g devs -u lool

Grant user lool permission to manage its own certs; create a policy file ~/linaro-lool-policy.json (make sure to replace the arn: data):

    {
       "Statement":[{
       "Effect":"Allow",
          "Action":["iam:ListSigningCertificates",
                    "iam:UploadSigningCertificate",
                    "iam:DeleteSigningCertificate",
                    "iam:UpdateSigningCertificate"],
             "Resource":"arn:aws:iam::123456789012:user/lool"
          }
       ]
    }

and run:

    iam-useruploadpolicy --aws-credential-file ~/linaro-aws-account-key -f ~/linaro-lool-policy.json -p lool-policy -u lool

Optionally, create an account to access the IAM-aware AWS web management console; it's at https://linaro.signin.aws.amazon.com/console/ec2 The account is created with:

    iam-useraddloginprofile -u someuser -p somepassword

Unfortunately the password needs to be passed on the command line.

NB: These steps can also be achieved from the IAM section of the AWS management console.

default EC2 group security

The default security group has been setup in the default region, and only in this region (us-east1) to open SSH from anywhere:

    ec2-authorize default -p 22

There are other security groups for specific Linaro projects.

Adding a Developer via the Web UI

  1. Login to the management console

  2. Create a user entry recognizable by a real name or known irc nick
  3. Download the credentials file and sent to the user
  4. Add the user to the dev group
    • if admin only (sysadmin), add only to the admin group
    • if both admin and dev, add to both admin and dev groups
    • if service monitor, do not add to any group
  5. copy the users arn info from the summary tab and enter into a new custom permission on the policy generator dialog. Select "Amazon Identity and Access Management" as the AWS Service.
  6. Add a new custom permission via the policy generator allowing the following and replace the arn user above with the one you just created
    • ListSigningCertificates

    • UploadSigningCertificate

    • DeleteSigningCertificate

    • UpdateSigningCertificate

  7. Rename the policy to <username>-policy


CategoryInformationTechnology

Process/EC2 (last modified 2013-02-18 10:05:52)