Skip to main content

Amazon Web Services (AWS)

To connect your Amazon Web Service (AWS) cloud account with your LocalOps account you must create a Connection in LocalOps.

Connection

A connection is a set of credentials to a specific cloud account. All operations performed by LocalOps on a target cloud account, are done through its corresponding connection. Today, Amazon Web Service is supported. So you can add Access key ID and Secret access key to create a cloud connection.

To create a connection, you'll need the AWS user Access key ID and Secret access key of the AWS account where you plan to create the App Environment. If you haven't generated them yet, please follow the instructions below,

Connect AWS with LocalOps

Prerequisites

To follow this tutorial, you will need the following:

  1. AWS account.
    If you do not have an account already, you can create one here - Create AWS account

    tip

    We recommend creating a brand new AWS sub-account to give us permissions to connect to it. This is a best practice to isolate your organization's other resources. You can connect resources/services in two different AWS accounts via VPC peering if/when required.

    If you have a pre-existing AWS Organization setup, follow these instructions to create a new AWS sub-account. If not, sign up for a new AWS account here - AWS Signup.

  2. LocalOps account.
    If you don't have an account already, signup here.

Steps

  1. Navigate to the IAM console
  2. Create a new IAM policy
  3. Create a new IAM user with the IAM policy
  4. Create security credentials / aws keys for the new IAM user
  5. Create connection

Please read below instructions for each of the above steps.

1. Navigate to the IAM console

  1. Sign in to the AWS account.
    If you do not have an AWS account, you can create one here - Create AWS account
  2. Once logged in, navigate to the IAM (Identity and Access Management) service by typing "IAM" in the search bar at the top and selecting IAM from the search results.

2. Create a new IAM policy

  1. In the IAM console, click on "Policies" from the navigation pane on the left side to access the IAM Policies page.
  2. Click the "Create policy" button located at the top right corner.
  3. In the Policy editor, select "JSON" tab.
  4. Copy and paste the below policy JSON into the editor.
View IAM Policy JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:*", "eks:*", "acm:*", "s3:*", "autoscaling:*"],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAttachedRolePolicies",
        "iam:ListPolicies",
        "iam:ListRoles",
        "iam:ListRolePolicies",
        "iam:ListPolicyTags",
        "iam:ListPolicyVersions",
        "iam:ListOpenIDConnectProviders",
        "iam:ListOpenIDConnectProviderTags",
        "iam:ListRoleTags",
        "iam:GetPolicy",
        "iam:GetRole",
        "iam:GetPolicyVersion",
        "iam:GetRolePolicy",
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DeleteOpenIDConnectProvider",
        "iam:UpdateAccessKey",
        "iam:UpdateOpenIDConnectProviderThumbprint",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription",
        "iam:AttachRolePolicy",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicy",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:PutRolePolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:TagOpenIDConnectProvider",
        "iam:TagPolicy",
        "iam:TagRole",
        "iam:UntagPolicy",
        "iam:UntagRole",
        "iam:GetOpenIDConnectProvider",
        "iam:ListInstanceProfilesForRole",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfileTags",
        "iam:ListGroups",
        "iam:ListGroupPolicies",
        "iam:ListAttachedGroupPolicies",
        "iam:GetGroup",
        "iam:GetGroupPolicy",
        "iam:CreateGroup",
        "iam:DeleteGroup",
        "iam:UpdateGroup",
        "iam:AttachGroupPolicy",
        "iam:DeleteGroupPolicy",
        "iam:DetachGroupPolicy",
        "iam:PutGroupPolicy",
        "iam:PassRole",
        "iam:CreateOpenIDConnectProvider",
        "iam:DeletePolicyVersion"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
        }
      }
    }
  ]
}
info

Permissions and purpose:

  1. eks:* - To create AWS managed EKS cluster in the AWS account.
  2. ec2:* - To create AWS VPC to host the EKS cluster and further create EC2 resources to attach to EKS cluster.
  3. autoscaling:* - To setup auto-scaling policies for your workload.
  4. acm:* - To setup auto-renewing/AWS-managed ssl certificates.
  5. s3:* - To setup encrypted S3 buckets to save data backups.
  6. iam:some - To create roles and policies to create/operate/run the EKS cluster, attach EC2 nodes or ALB to the EKS cluster in the AWS account. We don't need permissions to create new users or new credentials within the AWS account.
  1. Click "Next".
  2. Give the policy a suitable name and description.
  3. Click on the "Create policy" button to create a new IAM policy.

3. Create a new IAM user with the IAM policy

  1. After creating the IAM policy, naviagte back to IAM console and click on "Users" from the navigation pane on the left side to access the IAM Users page.
  2. Click on the "Create user" button located at the top right corner to start creating a new IAM user.
  3. Enter user name for the new IAM user
    Leave the "Provide user access to the AWS Management Console" checkbox unchecked. AWS console access is not required.
  4. Click on "Next".
  5. Under "Permissions options" section, select "Attach policies directly" and search by the policy name and select the policy you just created from the list.
  6. Click on the "Next: Review" button.
  7. Review the user details and the attached policies. Click on the "Create user" button to create the IAM user with the specified policy attached.

4. Create security credentials for the new IAM user

  1. After creating the user, select the user from the list on the IAM Users page.
  2. In the "Security credentials" tab, scroll down to the "Access keys" section.
  3. Click on the "Create access key" button.
  4. Once the access key is created, note down the "Access key ID" and "Secret access key". This is the only time you will be able to view the secret access key. Ensure to securely store it as it will not be visible again.

5. Create connection

Once you have the AWS user "Access key ID" and "Secret access key" you are ready to create connections.

  1. Sign in to LocalOps.
  2. Click on "Connections" from the navigation pane on the left side.
  3. Click on "Add connection" button to create a new connection.
  4. Give the connection a name.
  5. Choose AWS as "Cloud provider".
  6. Copy paste the "Access key ID" and "Secret access key" that you have noted down in Create security credentials for the new IAM user step.
  7. Click "Add connection" to create the connection.

Congratulations! You have successfully connected your AWS cloud account with LocalOps! 🚀