linaro-aws-tools.git - Tools and scripts used within Linaro to maintain EC2 systems and automate related tasks

This is a collection of scripts for Linaro AWS administrators.


Dependencies
------------

You need the boto Python module (Ubuntu python-boto package) to use these
scripts.

    apt-get install python-boto


Setting up a credentials file
-----------------------------

Create a private text file with the AWS credentials of your account.  You
should have received them from a Linaro AWS administrator, or you can get them
from the AWS account information page if you control the AWS account.  Get them
either from the web UI, or from another administrator.

The text file should not be world readable and should contain:
    AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
    AWSSecretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY

This README will assume that your file is saved under:
    ~/private/linaro-aws-creds


Linaro AWS administrators and EC2@linaro.org account
----------------------------------------------------

Linaro AWS administrators have a regular IAM account which is in the "admins"
IAM group which grants them super-powers: this group has an IAM policy allowing
any action on any resource.

To bootstrap the admins group or to recover from accidental breakage, you might
have to use the AWS credentials of the EC2@linaro.org accounts; you may get
these from the AWS account information page if you have the password associated
with this account, or from another Linaro AWS administrator.

These are just regular credentials, but make sure you use your own account for
day to day uses.


Checking our AWS resources
--------------------------

This verifies that the resources that we expect to be present are indeed
present and checks that no unknown or unused resource has been forgotten:

    ./check-running-resources



TODO: actually implement the add_dev script described below; requires a newer
boto


Adding a developer
------------------

This creates an IAM user account named foo in the IAM "devs" group and
associates an IAM user policy named foo-policy.  The IAM devs group grants its
members the right to issue any EC2 action on any resource and the IAM user
policy grants this user the rights to manipulate his or her own IAM signing
certificates.
    ./add-dev foo

This outputs AWS credentials which should be communicated to the developer via
a secure channel, for instance via the private Linaro IRC server which is SSL
protected, or via a GPG-encrypted email.

XXX Currently, any IAM user can issue EC2 actions on resources created by other
    IAM users.  Ideally, IAM would provide a way to express policies relative
    to the IAM user creating the resource.