Access to AWS

We use AWS IAM Identity Center (formerly AWS Single Sign-On) to manage access to our AWS accounts. This guide will help you set up both browser-based and command-line access to AWS.

Things to consider

Recommended practice

Strive to use the role with the least privileges needed for the task at hand. If you just need to browse the AWS Console, as an example, a read-only role is likely sufficient. This helps prevent accidental changes and follows the principle of least privilege.

Before you begin

Make sure that you have ok and the AWS CLI installed, and that your Microsoft account has been granted access to one or more AWS accounts. Contact Team Kjøremiljø if you need help with any of this.

Step 1: Verify browser-based access

The AWS web interface ("AWS Console") can be accessed by following the steps below:

1. Visit https://osloorigo.awsapps.com/start
2. Sign in using your Microsoft account
3. Verify that you have access to one more AWS accounts

Step 2: Configure command-line access

The AWS CLI reads its settings from profiles in an $HOME/.aws/config file. Each profile tells the CLI which AWS account and role to use, and includes settings like your default region and how to authenticate.

AWS CLI Profile

A profile is a named set of settings that tells the AWS CLI how to access AWS resources. You can have multiple profiles on your computer, each representing access to a different AWS account or role. For example, you might have one profile for admin access to your development account, and another for read-only access to production.

While you can manually define these profiles, it can become tedious and error-prone, especially when you have access to multiple AWS accounts and roles. To help with this, we provide a command in ok that automatically generates properly formatted profiles with consistent naming for all accounts and roles you have access to:

1. Install the AWS CLI if you haven't already.
2. Generate AWS CLI configuration by running the following command - your default web browser will automatically open and ask for access as part of the process:

ok aws generate \
  --sso-start-url "https://osloorigo.awsapps.com/start" \
  --sso-region "eu-west-1" \
  --template 'ok-{{.AccountName}}-{{if eq .RoleName "AWSAdministratorAccess"}}admin{{else if eq .RoleName "OrigoReadOnlyAccess"}}read{{else}}{{.RoleName}}{{end}}'

1. Copy the content between the two --- markers in the command output into your $HOME/.aws/config file. Create the file if it doesn't already exist.
2. Run aws --profile "<profile-name>" sts get-caller-identity to check if it everything works as expected, replacing <profile-name> with one of the profiles in your AWS CLI configuration file.

After this setup, you'll have a profile for each combination of AWS account and role you have access to. You can then use these profiles with the AWS CLI by setting the AWS_PROFILE environment variable or using the --profile flag. We share some shell snippets below to make it easier to work with AWS CLI profiles.

Step 3: Improve the command-line experience (optional)

We recommend adding these small functions to your $HOME/.bashrc or $HOME/.zshrc to improve the command-line experience:

1. Add a shell function to your shell configuration file that makes it easy to switch between AWS CLI profiles:

   function sso() {
     local profile="$(aws configure list-profiles | fzf)"
     export AWS_PROFILE="$profile"
     aws sso login
   }
   

2. Add a snippet to your shell configuration file that gives you a nice-looking prompt that displays the active AWS profile (if any) in your prompt:

   if [ "$ZSH_NAME" != "" ]; then
     setopt PROMPT_SUBST
     PROMPT='🚀 %B%F{%(?.blue.red)}%1~%f%b${AWS_PROFILE:+" (🔓 $AWS_PROFILE)"}%F{default} '
   elif [ "$BASH" != "" ]; then
     PS1='\[\033[01;34m\]🚀 \W\[\033[00m\]${AWS_PROFILE:+\[\033[33m\] (🔓 $AWS_PROFILE)\[\033[00m\]} '
   fi
   

If you have questions about or issues with any of this, please reach out in the #origo-kjøremiljø-support Slack channel and we'll help you out!