This is a collection of scripts for Linaro AWS administrators. Dependencies ------------ You need the boto Python module (Ubuntu python-boto package) to use these scripts. apt-get install python-boto Setting up a credentials file ----------------------------- Create a private text file with the AWS credentials of your account. You should have received them from a Linaro AWS administrator, or you can get them from the AWS account information page if you control the AWS account. Get them either from the web UI, or from another administrator. The text file should not be world readable and should contain: AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE AWSSecretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY This README will assume that your file is saved under: ~/private/linaro-aws-creds Linaro AWS administrators and EC2@linaro.org account ---------------------------------------------------- Linaro AWS administrators have a regular IAM account which is in the "admins" IAM group which grants them super-powers: this group has an IAM policy allowing any action on any resource. To bootstrap the admins group or to recover from accidental breakage, you might have to use the AWS credentials of the EC2@linaro.org accounts; you may get these from the AWS account information page if you have the password associated with this account, or from another Linaro AWS administrator. These are just regular credentials, but make sure you use your own account for day to day uses. Checking our AWS resources -------------------------- This verifies that the resources that we expect to be present are indeed present and checks that no unknown or unused resource has been forgotten: ./check-running-resources TODO: actually implement the add_dev script described below; requires a newer boto Adding a developer ------------------ This creates an IAM user account named foo in the IAM "devs" group and associates an IAM user policy named foo-policy. The IAM devs group grants its members the right to issue any EC2 action on any resource and the IAM user policy grants this user the rights to manipulate his or her own IAM signing certificates. ./add-dev foo This outputs AWS credentials which should be communicated to the developer via a secure channel, for instance via the private Linaro IRC server which is SSL protected, or via a GPG-encrypted email. XXX Currently, any IAM user can issue EC2 actions on resources created by other IAM users. Ideally, IAM would provide a way to express policies relative to the IAM user creating the resource.