@@ -34,14 +34,57 @@ Note that the nix version must be at least `2.17` and `fetch-closure`,
3434
3535## AWS
3636
37- Create an AWS user with your name and ` AdministratorAccess ` policy in the
38- cardano-playground organization, then store your access key in
39- ` ~/.aws/credentials ` under the profile name ` cardano-playground ` :
37+ From the parent AWS org, create an IAM identity center user with your name and
38+ ` AdministratorAccess ` to the AWS account of the ` cardano-playground ` deployment, then store
39+ the config in ` ~/.aws/config ` under the profile name ` cardano-playground ` :
40+
41+ [sso-session $PARENT_ORG_NAME]
42+ sso_start_url = https://$IAM_CENTER_URL_ID.awsapps.com/start
43+ sso_region = $REGION
44+ sso_registration_scopes = sso:account:access
45+
46+ [profile cardano-playground]
47+ sso_session = $PARENT_ORG_NAME
48+ sso_account_id = $REPO_ARN_ORG_ID
49+ sso_role_name = AdministratorAccess
50+ region = $REGION
51+
52+ The ` $PARENT_ORG_NAME ` can be set to what you prefer, ex: ` ioe ` . The
53+ ` $IAM_CENTER_URL_ID ` and ` $REGION ` will be provided when creating your IAM
54+ identity center user and the ` $REPO_ARN_ORG_ID ` will be obtained in AWS as
55+ the ` cardano-playground ` org ARN account number.
56+
57+ If your AWS setup uses a flat or single org structure, then adjust IAM identity
58+ center account access and the above config to reflect this. The above config
59+ can also be generated from the devshell using:
60+
61+ aws configure sso
62+
63+ When adding additional profiles the ` aws configure sso ` command may create
64+ duplicate sso-session blocks or cause other issues, so manually adding new
65+ profiles is preferred. Before accessing or using ` $REPO ` org resources, you
66+ will need to start an sso session which can be done by:
67+
68+ just aws-sso-login
69+
70+ While the identity center approach above gives session based access, it also
71+ requires periodic manual session refreshes which are more difficult to
72+ accomplish on a headless system or shared deployer. For those use cases, IAM
73+ of the ` cardano-playground ` organization can be used to create an AWS user with
74+ your name and ` AdministratorAccess ` policy. With this approach, create an
75+ access key set for your IAM user and store them in ` ~/.aws/credentials ` under
76+ the profile name ` cardano-playground ` :
4077
4178 [cardano-playground]
4279 aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
4380 aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
4481
82+ No session initiation will be required and AWS resources in the org can be used
83+ immediately.
84+
85+ In the case that a profile exists in both ` ~/.aws/config ` and
86+ ` ~/.aws/credentials ` , the ` ~/.aws/config ` sso definition will take precedence.
87+
4588## AGE Admin
4689
4790While cluster secrets shared by all machines are generally handled using AWS
@@ -116,6 +159,13 @@ With that you can then get started with:
116159 # Find many other operations recipes to use
117160 just --list
118161
162+ Behind the scenes ssh is using AWS SSM and no open port 22 is required. In
163+ fact, the default template for a cardano-parts repo does not open port 22 for
164+ ingress on security groups.
165+
166+ For special use cases which still utilize port 22 ingress for ssh, ipv4 or ipv6
167+ ssh_config can be used by appending ` .ipv4 ` or ` .ipv6 ` to the target hostname.
168+
119169## Colmena
120170
121171To deploy changes on an OS level, we use the excellent
0 commit comments