Table of contents

User Management in AWS

To work with govuk-aws and govuk-aws-data, you will require an account in AWS.

GDS central users account

GDS maintains a central account for AWS access. Please see the guidance for further information.

Ensure that you create both MFA and access keys once you have access to your account.

Make a note of the ARN of the “Assigned MFA device”. The format will be:

arn:aws:iam::<account-id>:mfa/firstname.lastname@digital.cabinet-office.gov.uk

Switching roles to GOV.UK accounts

Add your ARN to GOV.UK account role

Find your “User ARN”. This is located under your users profile within IAM in the central account.

The format will be:

arn:aws:iam::<account-id>:user/firstname.lastname@digital.cabinet-office.gov.uk

You will need someone who already has access to the account you wish to get access to.

They will need to:

When this has been deployed, you should also gain access to edit this data.

Switch role

To switch role to a GOV.UK account, you can either do this through the console or command line.

See details for GOV.UK accounts.

Console

To switch to the role using the console, see guidance published by Amazon.

CLI

There are two methods to assume roles using the CLI.

Both methods require the following:

  • Role ARN: this is the ARN of the role that you are using for the GOV.UK specific account, eg govuk-administrators, govuk-powerusers, govuk-users
  • MFA ARN: this is the ARN assigned to the MFA device in your own account

Both methods will allow a valid session up to eight hours. Once the hour has elapsed, you will need to rerun the assume-role command. If you want to switch between environments, you will need to re-authenticate with MFA.

Storing credentials on disk

Create ~/.aws/config:

[profile govuk-<environment>]
role_arn = <Role ARN>
mfa_serial = <MFA ARN>
source_profile = gds
region = eu-west-1

[profile gds]
mfa_serial = <MFA ARN>
region = eu-west-1

Create ~/.aws/credentials:

[gds]
aws_access_key_id = <access key id>
aws_secret_access_key = <secret access key>

You can get the key ID and secret by following the instructions for IAM based access keys here

To test the configuration, use awscli.

aws --profile govuk-<environment> s3 ls

You should be prompted for an MFA token. If successful, you should receive some output.

Exporting credentials to environment

Ensure awscli is installed. Ensure you have your MFA token ready, and run:

aws sts assume-role \
  --role-session-name "$(whoami)-$(date +%d-%m-%y_%H-%M)" \
  --role-arn <Role ARN> \
  --serial-number <MFA ARN> \
  --duration-seconds 28800 \
  --token-code <MFA token>

If successful, this will output some credentials. Store them in your environment using the following environment variables. Refresh them when they expire after eight hours with another aws sts assume-role command.

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
This page was last reviewed . It needs to be reviewed again by the page owner #2ndline.