Beginner’s Guide to IAM: IAM, Roles, Policies, Policy Attachments with Terraform

IAM is short for Identity and Access Management.

  1. What’s the difference between an IAM user and role?

An IAM user has long term credentials and directly interacts with AWS services. An IAM role does not have any credentials and don’t directly access AWS services. IAM roles are assumed by entities (such as users, applications or services like EC2).

https://aws.amazon.com/iam/faqs/

2. What’s an IAM Policy?

An IAM Policy allows access  -i.e. they define permissions. You create a policy then attach it to an IAM identity or AWS resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

3. what’s an IAM Role Policy Attachment?

This can be found in Terraform. e.g.

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

It attaches an IAM Policy to an IAM role and typically looks like this:

resource “aws_iam_role_policy_attachment” “test-attach” {
role = “${aws_iam_role.role.name}”
policy_arn = “${aws_iam_policy.policy.arn}”
}

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

4. Principal

The Principalelement specifies the AWS user, account, service that is allowed or denied access to a resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

5. assume_role_policyis very similar but slightly different than a standard IAM policy

https://www.terraform.io/docs/providers/aws/r/iam_role.html

6. Service Roles are IAM roles that can be assumed by an AWS service

e.g.

Note how there are 2 Services listed. The Service key must be unique. So it’s value must be a list.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

and a list of Services that work with IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

 

Using Terraform to set up AWS Route 53 Hosted Zones

  1. What’s an AWS Route 53 Hosted Zone?

A Hosted Zone is basically a domain. i.e. a single zone file with all domain information.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html

See also https://stackoverflow.com/questions/12664671/amazon-route-53-what-do-hosted-zones-and-queries-mean-exactly

 

2.

https://medium.com/@maxbeatty/using-terraform-to-manage-dns-records-b338f42b50dc

HP Deskjet 2630 printer problems

When a printer says it prints 32 pages per minute I laugh.

My HP Deskjet 2630 currently seems to take around 1 page per hour.

Here’s how I work it out:

  1. switch printer on
  2. plug it in
  3. print a document
  4. try and fix:
    1. printer is offline messages
    2. switch printer back on when it’s switched itself off
    3. check 128 page manual to see if a flashing power button means it’s now switched on or not
    4. feed paper in
    5. remove ‘cos printer is now showing a yellow flashing light and not printing
    6. figure out how to switch printer off and on (pressing the Power button doesn’t do anything. Nor does keeping your finger on it. Finally I pull out the power cord and replace)
    7. fix the paper alignment message which is showing in the Printer dialog box (turns out I just need to switch the printer off and on again)
    8. try and work out why printer dialog box is stuck at Printing page 1, 11% complete
    9. switch printer off and on again
    10. fix the “Printer is in Error” message

I’m now at around 1.5 pages printed.

0.5 ‘cos 1 page errored out half way through.

 

iTerm2 Tips

1. Mouseless copy

  • Cmd f then
  • tab to select then
  • Cmd c to copy

2. Jump to Session Hotkey

  • Session > Edit Session
  • Under General set a hotkey
  • Now, if you’re in a different tab, or even a different Mac application, you can jump to that session using that Hotkey. I used Cmd i – yet to find any conflicts…

More: https://www.iterm2.com/documentation-highlights.html

 

Initial impressions of Microsoft Azure

Initial impressions with Azure (having been in AWS)

Weird how, when you’re trying to login via the command line, you have to open a browser window to complete the login.

And when you attempt to do az login -u <username> -p <password> as mentioned here:

https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest

it says

Logging in through command line is not supported. For cross-check, try 'az login' to authenticate through browser.

Azure concepts

Tenant => a user ( or, in Microsoft-speak, a representative of an organisation)

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

Service Principal: accounts not tied to any particular user

You then assign permissions to the Service Principal via roles.

Install

homebrew install is good.

As I use zshit was odd to see a .bash_completionfile being installed. Turns out the CLI has full tab completion for commands under the bash shell.

Login sucks

$ az login

Note, we have launched a browser for you to login. For old experience with device code, use “az login –use-device-code”

You have logged in. Now let us find all the subscriptions to which you have access…

No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses

$ az group create –name TutorialResources –location eastus

Please run ‘az login’ to setup account.

$ az login -u <username> -p <password>

Logging in through command line is not supported. For cross-check, try ‘az login’ to authenticate through browser.

Why do you have to login via a browser?!!

No subscriptions were found for ‘None’

No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses

It’s easy to get bogged down in technical terms and, after a while you switch off. So, this one fooled me. I was thinking it was some technical jargon. No, it means you haven’t entered your credit card.

Even after you’ve entered your credit card I still got:

You have not created any subscriptions yet.  at https://portal.azure.com/#blade/Microsoft_Azure_Billing/MySubscriptionsBlade

and the Add button was greyed out.

Good old Microsoft. The entire process looks and feels clunky even though it’s a brand new service (newer than AWS). Shades of IBM.

It turned out, even though I had the Free plan, I was still getting the None error. Once upgrading to Pay-As-You-Go I was able to do an az login. Still find the browser login bizarre though.

Spin up a VM

1. create a Resource Group

az group create --name myResourceGroup --location eastus

I really don’t understand why Microsoft have to create a different naming convention to AWS for Regions. (i.e. eastus as opposed to us-east).

2. spin up your VM

And it sucks that Azure has a URL that’s ridiculously long. E.g. the URL for AWS you can almost type by hand:

https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Instances:sort=instanceId

whereas for Azure it’s:

https://portal.azure.com/#blade/HubsExtension/DeploymentDetailsBlade/overview/id/%2Fsubscriptions%2F38ca8927-35a3-4f4b-bf11-0faf7dfe83e3%2FresourceGroups%2FmyResourceGroup%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fvm_deploy_Fq3o8mNnoqLg0wiG97oEWNEDyFX5J2Xt

3. open ports

az vm open-port --port 80 --resource-group myResourceGroup --name myVM

 

Note the default for Azure is to spit out vast amounts of output after each command (whereas AWS is silent) – e.g. that last command had 221 lines of output afterwards.

4. connect to VM

ssh azureuser@publicIpAddress

(this took a loooong time to connect)

5. install web server

sudo apt-get -y update

sudo apt-get -y install nginx

Refreshingly, the demo uses ssh and nginxrather than some Microsoft’y version.

6. test

Locally:

curl localhost 

which defaults to port 80.

Then open uppublicIpAddress in a browser.

7. cleaning up

az group delete --name myResourceGroup

Note: you need to enter y not yesat the command line to confirm. Out of habit, I entered yesa few times and wondered why it wasn’t accepting it. My bad – it does actually prompt you for y.

See also https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-cli

And other guides:

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/

 

 

 

Upload a new Github Repo from the command line

1. create the repo via curl

Replace <this>:

2. upload

Assuming you’ve created your git repo locally, added and committed then:

3. check

It should be at: