User Management in AWS
GDS central users account
GDS maintains a central account for AWS access. You will need to request an account from the Technology and Operations team. To sign in, go to the gds-users account page, and use the following credentials:
- Account ID or alias: “gds-users”
- Username: your Cabinet Office email address
- Password: your password
Make a note of the ARN of the “Assigned MFA device”. The format will be:
Switching roles to GOV.UK accounts
Add your ARN to GOV.UK account role
Find your “User ARN”. This is located under your users profile within IAM in the central account.
The format will be:
You will need someone who already has access to the account you wish to get access to.
They will need to:
- Add you to the list of users found in the data for the infra-security project.
- Deploy the
When this has been deployed, you should also gain access to edit this data.
To switch role to a GOV.UK account, you can either do this through the console or command line.
To switch to the role using the console, see guidance published by Amazon.
There are two methods to assume roles using the CLI.
Both methods require the following:
- Role ARN: this is the ARN of the role that you are using for the GOV.UK specific account, eg
- MFA ARN: this is the ARN assigned to the MFA device in your own account
Both methods will allow a valid session up to eight hours. Once the hour has
elapsed, you will need to rerun the
assume-role command. If you want to switch
between environments, you will need to re-authenticate with MFA.
Storing credentials on disk
[profile govuk-<environment>] role_arn = <Role ARN> mfa_serial = <MFA ARN> source_profile = gds region = eu-west-1 [profile gds] mfa_serial = <MFA ARN> region = eu-west-1
[gds] aws_access_key_id = <access key id> aws_secret_access_key = <secret access key>
You can get the key ID and secret by following the instructions for IAM based access keys here
To test the configuration, use
aws --profile govuk-<environment> s3 ls
You should be prompted for an MFA token. If successful, you should receive some output.
Exporting credentials to environment
awscli is installed. Ensure you have your
MFA token ready, and run:
aws sts assume-role \ --role-session-name "$(whoami)-$(date +%d-%m-%y_%H-%M)" \ --role-arn <Role ARN> \ --serial-number <MFA ARN> \ --duration-seconds 28800 \ --token-code <MFA token>
If successful, this will output some credentials. Store them in your environment using
the following environment variables. Refresh them when they expire after eight
hours with another
aws sts assume-role command.
AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN