Cloud9 disable managed credentials and use different credentials
Introduction
Cloud9 offers out of the box the functionality of managing AWS credentials. But these credentials are limited, so depending on the operations that you want to perform (i.e. provisioning infrastructure with terraform), those credentials will not be sufficient.
There are different ways to overcome this limitation, but the fastest way I found to overcome the issue is the following sequence:
- Disable the AWS managed temporary credentials functionality that comes out of the box with Cloud9
- Create a new IAM user and grant the necessary permissions for the task
- Create an access key for the IAM user
- Use the access key created in the previous step in your Cloud9 instance
- Perform the task
- Enable again the managed credentials functionality (or simply close Cloud9).
In this article I am going to describe all the necessary steps to overcome these credentials issues when working with Cloud9.
1. Disable the managed credentials functionality of Cloud9
To disable the AWS managed temporary credentials on Cloud9. You can achieve this by clicking on Settings > AWS Settings > Credentials > Turning Off the option “AWS managed temporary credentials”
2. Create a new IAM user and grant the necessary permissions for the task
In this example I am going to create the user cloud9-user and assign to the user the permission policy AdministratorAccess . You could use the same sequence of steps to create a user with a different name and assign a completely different permission policies. In production environments you are supposed to grant as least privileges as possible, therefore please do not assign the policy AdministratorAccess in a production environment.
The first step is to create a new user on AWS IAM with Admin privilege.
In my case I decided to call this admin user cloud9-user since I will use this user from Cloud9 environment, but the name is irrelevant.
The important part is to set AdministratorAccess to the new user.
Below you can see the user that I created.
3. Create an access key for the IAM user
Once the cloud9-user IAM user was created, it was needed to enter in the user and generate an access key.
The following step is crucial. You need to specify the Use case. Since this example is for creating a user that will be used from the AWS CLI installed inside Cloud9, I will select the first option Command Line Interface (CLI) , because the key will be used by the AWS CLI. But if you created the user for terraform or any other purpose you should select the option Other because the credentials will not be used by AWS CLI.
Before finished the creation of the access key, I downloaded the key as a .csv file, so I can use it in later steps. Once the access key is created, it is not possible to access anymore to the key, and you will need to create a new one. So I recommend you to either download the file or copy paste the values (the id and the secret) to some local file.
4. Use the access key created in the previous step in your Cloud9 instance
Once that you have created the IAM user and the corresponding access key you need to use these new credentials, but in order to do that, you need to configure the new credentials. The way you configure the new credentials depends on the use case that you selected for the access key.
Using aws configure command
Following with the previous example where I created the cloud9-user and its access key, since I selected in the use case of the access key Command Line Interface (CLI) now I must use the command aws configure to setup the access key.
The command will ask you for the key id and for the secret access key, both values appear in the .csv file that I downloaded during the creation of the key. See the image below to have an idea:
Using environment variables
If during the creation of the access key, you selected the use case Other then I recommend you to use environment variables to override the values corresponding to the access key and use the new credentials.
I opened a terminal in Cloud9 and executed the following commands. If you are following this guide, please do not forget to substitute with your values:
export AWS_ACCESS_KEY_ID="your_credentials_id"
export AWS_SECRET_ACCESS_KEY="your_secret_key"
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEYAlternatively you could create a file. I.e. cloud9-user.sh with the following content:
export AWS_ACCESS_KEY_ID="your_credentials_id"
export AWS_SECRET_ACCESS_KEY="your_secret_key"Then `source` the file to export your credentials in the environment. If you stop the Cloud9 EC2 instance and retake your tasks later, you will need to source the file again in order to have the creadentials in the environment.
source export-eks-user.sh
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY5. Perform the task
In this step is where you are supposed to do whatever you pretended to do: Provision infrastructure with terraform , create a Kubernetes cluster with eksctl , administer cloud resources with aws CLI, etc … The posibilities are endless and the limit is the sky! I mean the cloud!
6. Enable again the managed credentials functionality (or simply close Cloud9).
Finally when you have finished executing your task you need to use again the managed credentials from Cloud9. It is as easy as either revert the first step: Disable the managed credentials functionality of Cloud9. By doing this Cloud9 will be back to use the default managed credentials. And you can continue working with those credentials.
If you finished your project or you just finished for the day, you can simply close Cloud9. In this case the credentials were only sourced temporary in the terminal and they will be lost when the Cloud9 session finishes. The next time that you start Cloud9 by default it will be used the managed credentials, so in this case you do not need to perform any further action.
Summary
This article showcases how you can create a user and grant the necessary permissions for executing an specific task within AWS Cloud. After that the article shows how you can use the user credentials in order to perform the tasks withing Cloud9.
This is an example on how you can make use of the full potential of the cloud, not only using the cloud infrastructure but also the IDE as a service and fully operate within the AWS cloud.
