Skip to main content

Amazon Web Services (AWS)

To connect your Amazon Web Service (AWS) cloud account with your LocalOps account you must create a Connection in LocalOps.

Connection

A connection represents LocalOps's access to the target cloud account. All operations performed by LocalOps on a target cloud account, are done through its corresponding connection.

Pre-requisites

  1. AWS account.

    tip

    We recommend creating a brand new AWS sub-account to connect with LocalOps. This is a best practice to isolate other resources you may have in your existing AWS account. You can connect resources/services from any two AWS accounts via VPC peering when required.

    If you have a pre-existing AWS Organization setup, follow these instructions to create a new AWS sub-account. If not, sign up for a new AWS account here - AWS Signup.

  2. You'll need to have console access to the target AWS cloud account with Administrator acccess. If you are connecting your client/customer's AWS account, the point of contact in your customer's end must have AWS console access with Administrator access.

Create a new connection

To your cloud account:

  1. Sign in to LocalOps.
  2. Click on "Connections" from the navigation pane on the left side.
  3. Click on "Add connection" button to create a new connection.
  4. Give the connection a name and provide other details on the screen.
  5. Choose AWS as "Cloud provider".
  6. In the next screen, click on "Connect AWS account" button.
  7. In the AWS console, click on "Create stack". Please do not change any value in Create stack screen you see inside AWS. Each of the values represent your account and they must not be changed. Once you see the stack creation complete, come back to LocalOps to see the connection becoming Active.

We create a cloudformation stack in the target AWS account to create a new OIDC provider, IAM role and attach it with necessary permissions. Please read further below to know how this works.

To your customer cloud account:

  1. Sign in to LocalOps.
  2. Click on "Connections" from the navigation pane on the left side.
  3. Click on "Add connection" button to create a new connection.
  4. Give the connection a name and provide other details on the screen.
  5. Choose AWS as "Cloud provider".
  6. In the next screen, find the instructions pane and copy the instructions.
  7. Send the instructions to your point of contact at your customer end.
  8. Your point of contact or anyone in your customer's end using the connection link must have AWS console access with Administrator permissions to complete the process. They must be logged into their AWS account before they can click on the link sent in instructions. In the AWS console, please ask them to click on "Create stack" button. Please ask them not to change any value in "Create stack" screen inside AWS. Each of the values represent your account and they must not be changed. Once the stack creation is complete, you can come back to LocalOps connections page to see the connection becoming Active.

We create a cloudformation stack in the target AWS account to create a new OIDC provider, IAM role and attach it with necessary permissions. Please read further below to know how this works.

How does this access work?

LocalOps connects to the target AWS account through a secure key-less role-based method recommended by AWS. This method is secure because there are no long-term access keys generated/used during the access. All access is powered by short term keys generated by AWS and given to LocalOps at the specific time of access, every single time.

For this to work:

  1. A new OIDC provider pointing at LocalOps OIDC server, is created in your AWS account establishing a trust between LocalOps servers and your AWS account.
  2. A new IAM role is also created with specific permissions (see below) to let identities outside your AWS account (in this case, LocalOps server) to assume later and get relevant access.
  3. Whenever LocalOps wants to connect to your AWS account and perform any operation (say a new deployment), LocalOps would assume the above IAM role by using an identity authorised via the OIDC provider and requests short term keys from AWS sessions service. Your AWS account would generate short term access keys and hands them off to LocalOps servers to use. These access keys are configured to expire in roughly 60-mins or less.
  4. Using these keys, LocalOps will access your AWS account to perform any action that you may trigger from LocalOps console.

In the steps outlined in "Create a new connection" section, a cloudformation stack is created. This stack does #1 and #2 above to establish a connection with your AWS account.

Permissions required

LocalOps requires Administrator access in the AWS account you connect. This is automatically setup when you follow the 1-click setup process outlined above.

If you require LocalOps to work with lesser permissions, contact us at [email protected] to discuss your next steps. You may have to manually set up LocalOps in your cloud with a specific set of permissions, although we don't see this as future proof as we would expand our automation capabilities at LocalOps continuously.

tip

We recommend creating a brand new AWS sub-account to connect with LocalOps. This is a best practice to isolate cloud resources you may have in your existing AWS account(s). You can still connect resources/services from any two AWS accounts via VPC peering when required.

If you have a pre-existing AWS Organization setup, follow these instructions to create a new AWS sub-account. If not, sign up for a new AWS account here - AWS Signup.

warning

After connecting the AWS account, please DO NOT

  1. Remove/modify the cloudformation stack. It holds the OIDC provider, IAM policy and IAM role to keep the cloud connection alive.
  2. Remove/modify the IAM role or policy. Again, changes here will break the connection LocalOps has with the target aws account.

Deleting connections

You can sign in to LocalOps and delete a connection any time.

When you delete a connection, we permanently delete all credentials we hold for that specific cloud account. In addition, you can ensure a full disconnect by deleting the CloudFormation stack we created earlier when setting up the connection.

To delete CloudFormation stack in the target AWS account:

  1. Sign in to AWS console
  2. Go to CloudFormation console in us-east-1 region
  3. Select the stack with the name with prefix Ops-.., This is the stack we created earlier.
  4. Delete the stack

This will in turn delete all AWS resources created by the CloudFormation stack. Including IAM role, IAM policy and the OIDC provider.