Amazon Web Services Access

Contact Information

Owner

Fedora Infrastructure Team

Contact

#fedora-admin

Persons

nirik, pfrields

Location

?

Servers

N/A

Purpose

Provide AWS resource access to contributors via FAS group membership.

Overview

Amazon provides us with a community account. They pick up the tab for it, which is AWSome! Thank you Amazon!

This account is currently used by: Fedora Infra, Centos, Fedora-CI, openQA, logdetective, CoreOS, Cloud, ABRT and some more. Since our account is a subaccount of the Amazon community account, we cannot use AWS Organizations features such as tagging policies and SCPs to provide segregation.

For user access, each of these groups has an AWS Role (assigned by membership in a FAS group), with an attached IAM policy. The policy restricts access to only the AWS services needed and to resources tagged with each group’s FedoraGroup tag.

Ipsilon stores the relationship between IAM Roles and FAS groups.

Accessing the AWS Console

To access the AWS Console via Ipsilon authentication, use this SAML link.

You must be in the aws-iam FAS group (or another group with access) to perform this action.

Adding a role to AWS IAM

Sign into AWS via the URL above, and visit Identity and Access Management (IAM) in the Security, Identity and Compliance tools.

Choose Roles to view current roles. Confirm there is not already a role matching the one you need. If not, create a new role as follows:

  1. Select Create role.

  2. Select SAML 2.0 federation.

  3. Choose the SAML provider id.fedoraproject.org, which should already be populated as a choice from previous use.

  4. Select the attribute SAML:aud. For value, enter https://signin.aws.amazon.com/saml. Do not add a condition. Proceed to the next step.

  5. Assign the appropriate policies from the pre-existing IAM policies. It’s unlikely you’ll have to create your own, which is outside the scope of this SOP. Then proceed to the next step.

  6. Set the role name and description. It is recommended you use the same role name as the FAS group for clarity. Fill in a longer description to clarify the purpose of the role. Then choose Create role.

Note or copy the Role ARN (Amazon Resource Name) for the new role. You’ll need this in the mapping below.

Adding a group to FAS

When finished, login to ipa and create a group to correspond to the new role. Use the prefix aws- to denote new AWS roles in FAS. This makes them easier to locate in a search.

Add the relevant sponsors as appropriate to the group. If the group allows a high level of access it should be monitored to ensure it is not being misused.

Adding an IAM role mapping in Ipsilon

Clone the git repo available here: https://pagure.io/fedora-infra/ipsilon-fedora

Edit the file ipsilon/info/infofas.py add the new role mapping following the examples below

aws_groups = {
    'aws-master': 'arn:aws:iam::125523088429:role/aws-master',
    'aws-iam': 'arn:aws:iam::125523088429:role/aws-iam',
    'aws-billing': 'arn:aws:iam::125523088429:role/aws-billing',
    'aws-atomic': 'arn:aws:iam::125523088429:role/aws-atomic',
    'aws-s3-readonly': 'arn:aws:iam::125523088429:role/aws-s3-readonly'
}

Add your mapping to the dictionary as shown. Create a pull request against the ipsilon-fedora repo. When this is merged run the ipsilon playbook to take in the new changes.

User accounts

If you only need to use the web interface to aws, a role (and associated policy) should be all you need, however, if you need cli access, you will need a user and a token. Users should be named the same as the role they are associated with.

Role and User policies

Each Role (and user if there is a user needed for the role) should have the same policy attached to it. Policies are named 'fedora-$rolename-$service' ie, 'fedora-infra-ec2'. A copy of polices is available in the ansible repo under files/aws/iam/policies. These are in json form.

Policies are setup such that roles/users can do most things with a resource if it’s untagged. If it’s tagged it MUST be tagged with their group: FedoraGroup / $groupname. If it’s tagged with another group name, they cannot do anything with or to that resource. (Aside from seeing it exists).

If there’s a permssion you need, please file a ticket and it will be evaluated.

Users MUST keep tokens private and secure. YOU are responsible for all use of tokens issued to you from Fedora Infrastructure. Report any compromised or possibly public tokens as soon as you are aware.

Users MUST tag resources with their FedoraGroup tag within one day, or the resource may be removed.

ec2

users/roles with ec2 permissions should always tag their instances with their FedoraGroup as soon as possible. Untagged resources can be terminated at any time.

s3

users/roles with s3 permissions will be given specific bucket(s) that they can manage/use. Care should be taken to make sure nothing in them is public that should not be.

cloudfront

Please file a ticket if you need cloudfront and infrastructure will do any needed setup if approved.

Regions

Users/groups are encouraged to use regions 'near' them or wherever makes the most sense. If you are trying to create ec2 instances you will need infrastructure to create a vpc in the region with network, etc. File a ticket for such requests.

Other Notes

AWS resource access that is not read-only should be treated with care. In some cases, Amazon or other entities may absorb AWS costs, so changes in usage can cause issues if not controlled or monitored. If you have doubts about access, consult the Fedora Project Leader or Fedora Engineering Manager.

Want to help? Learn how to contribute to Fedora Docs