From Fedora Project Wiki
(Added Category:Cloud SIG)
Line 1: Line 1:
== Overview ==
== Overview ==


This document describes how to employ Amazon Identity and Access Management (IAM) to create users that people can use to test Amazon Elastic Compute Cloud (EC2) images for limited periods of time such as test days.  It assumes that you have read and understood the [[User:gholms/EC2 Primer|EC2 Primer]], and, if you are the sponsor for the event, the [[User:gholms/IAM Primer|IAM Primer]].  It also assumes that the sponsor has account-level access to an Amazon Web Services (AWS) account that is dedicated to sponsoring people for test days and that people will not need to manipulate security groups or firewall rules.
This document describes how to employ Amazon Identity and Access Management (IAM) to create users that people can use to test Amazon Elastic Compute Cloud (EC2) images for limited periods of time such as test days.  It assumes that you have read and understood the [[User:gholms/EC2 Primer|EC2 Primer]], and, if you are the sponsor for the event, the [[User:gholms/IAM Primer|IAM Primer]].  It also assumes that the sponsor has administrative access to an Amazon Web Services (AWS) account that is dedicated to sponsoring people for test days and that people will not need to manipulate security groups or firewall rules.


== Sponsor Instructions ==
== Sponsor Instructions ==

Revision as of 00:41, 17 October 2011

Overview

This document describes how to employ Amazon Identity and Access Management (IAM) to create users that people can use to test Amazon Elastic Compute Cloud (EC2) images for limited periods of time such as test days. It assumes that you have read and understood the EC2 Primer, and, if you are the sponsor for the event, the IAM Primer. It also assumes that the sponsor has administrative access to an Amazon Web Services (AWS) account that is dedicated to sponsoring people for test days and that people will not need to manipulate security groups or firewall rules.

The sponsor for the test days should have administrator-level access to an AWS account for test days. All of the commands in this section can be performed by an IAM user with administrative privileges such as the one created in the IAM Primer, instead of account-level credentials.

This tutorial requires euca2ools 2
Most of commands in the sponsor's section of this tutorial require version 2 or later of the euca2ools command line suite. A pre-release of version 2.0 is available from http://repos.fedorapeople.org/repos/gholms/cloud/.

Initial Setup

The steps in this section only need to be done once.

Get Your Account Details

Obtain either account credentials or an administrative user's credentials and write them to ~/.iamrc and ~/.eucarc as shown in the IAM Primer.

Install the Command Line Tools

Install the euca2ools package. To do so with yum, run:

# yum install euca2ools

Change the default Security Group Rules

Since the goal of a EC2 test day is to test a Fedora image that has already been registered in EC2, sponsored users can run instances in a permissive default security group that allows all traffic from the Internet. You can make that security group allow all traffic with euca-authorize:

$ euca-authorize -P tcp -p 1-65535 default
$ euca-authorize -P udp -p 1-65535 default
$ euca-authorize -P icmp default

Create an Account Alias (optional)

Sponsored users who wish to use AWS's web console to manage their instances need to use an account-specific URL. To make that URL include a human-readable name instead of a long account number you can create an account alias:

$ euare-accountaliascreate -a fedora-test-day

Test Day Setup

The instructions in this section need to be done for each test day.

Create a Test Day Group

Create a group for the specific test day. This is the group that will use to manage permissions for every sponsored user.

$ euare-groupcreate -g test-day-20111020

Then add a time-limited policy to the group that allows its members to perform the relevant functions in EC2. A policy that seems to work appears below. Be sure to adjust its time constraints accordingly.

{
  "Statement": [
    {
      "Action": [
        "ec2:CreateKeyPair",
        "ec2:DeleteKeyPair",
        "ec2:DescribeAddresses",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeImageAttribute",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups",
        "ec2:GetConsoleOutput",
        "ec2:ModifyInstanceAttribute",
        "ec2:RebootInstances",
        "ec2:ResetInstanceAttribute",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "2011-10-19T00:00:00Z"
        },
        "DateLessThan": {
          "aws:CurrentTime": "2011-10-21T00:00:00Z"
        }
      }
    }
  ]
}
Don't forget time zones!
The times given in a time-limited IAM policy are specific to one time zone. Keep this in mind when choosing its bounds.

Then write the policy to a file and add it to the group:

$ euare-groupuploadpolicy -g test-day-20111020 -p f16-on-ec2-20111020 -f policy.json

Create Test Day Users

Next, create the users that people will use for testing. Store their credentials in a directory so you can hand them out to people individually during the test day. (Or beforehand, since the policy is time-limited.)

$ mkdir -p credentials-20111020
$ euare-usercreate -g test-day-20111020 -k -u tester01 > credentials/tester01

If you want test day users to be able to use the online web console to manage their instances, create login profiles for them as well:

$ euare-useraddloginprofile -u tester01 -p SeekritPassword

Repeat this for each user.

When sending this information to sponsored people, include the access key ID and secret access key included inside the file credentials/testerN. If you also created login profiles for them, also send the appropriate user name (e.g. tester01) and password. They will be able to log into the AWS Console by going to https://your_AWS_Account_ID.signin.aws.amazon.com/console/. If you created an account alias, you can use that alias in place of the numeric account ID.

Test Day Cleanup

After the test day is over you can delete all of the users and the group you created for it:

$ euare-userdel -r -u tester01
$ euare-userdel -r -u tester02
...
$ euare-groupdel -r -g test-day-20111020

Also be sure to terminate any leftover instances and keypairs.

User Instructions

This tutorial does not require euca2ools 2
While the instructions for the sponsor in this tutorial require an un-released version of euca2ools, the instructions for sponsored users do not. Either a euca2ools 2 pre-release or euca2ools 1.3.1 from the Fedora or EPEL repositories will work.

Get Your Sponsored User Details

When you use a sponsored user for an EC2 test day the sponsor will send you a access key ID and a secret access key that the euca2ools command line suite will use to access EC2 during the test day. To test Fedora EC2 images, follow along with the Getting Started with Fedora on EC2 section of the EC2 Primer, using the credentials you received in place of those that the guide asks you to fetch from Amazon's website. With these credentials you do not need to create your own AWS account.

Please be sure to clean up when you finish by deleting any keypairs you created and terminating any instances you started. EC2's access controls are not yet fine enough to prevent you from terminating other people's instances, so please be careful when doing so.

Using the AWS Console

If the sponsor also sent you a username and password, you can use those to log into the AWS Console on the web instead of using command line tools. Ask your sponsor for the web address to which you should go to log in.