AWS Cloud9: First Look from an Ops Perspective

I just spent a couple of hours playing around with AWS’ new Cloud9 product, a fully browser based IDE with a lot of integration into AWS services.

I’m really impressed with the product overall. I have not ever had the chance to use Cloud9 prior to AWS purchasing it, but I can definitely understand the merits and interest by a lot of developers in a completely cloud-based IDE.

Here are some of my thoughts and findings that are more relevant from an infrastructure operations perspective. I know developers will be eager to get their hands on this product in the enterprise!

Gigantic error message indicating a user with both AdministratorAccess and Cloud9Administrator permissions cannot access the environment.
  • EDIT (Dec 3): pointed out by Fabian Jakobs that any AWS Admin can add themselves to any environment using the AWS CLI/API. Docs here.
    Original Content: You must be invited to a Cloud9 environment in order to access it. As far as I can tell, there is no way around this. What this means is: even as an AWS administrator, if you haven’t been invited to a Cloud9 environment, you cannot access it. I don’t see any where to control access to Cloud9 environments specifically with IAM — it seems to be an internal permissions management system that is managed within the Cloud9 service. Note that an Administrator can view information about the environment, just not actually launch the IDE.
Environment Membership and Invitation Screen
  • There is no support for AWS roles or federated/SAML based development environment sharing. If your org is using a SAML based authentication service to provide AWS access, developers will not be able to access others’ Cloud9 environments. Cloud9 environments can only be shared between other IAM users.

There are 2 ways to create a new environment. Here are a few nuances of each.

Create a New Instance for Environment (EC2)

  • AWS will automatically provision an EC2 instance for you with a specific Cloud9 optimized AMI, including all of the dependencies required for Cloud9 to work correctly. You will see this instance in your list of EC2 instances, but are not given the SSH key to access it.

Connect and run in a remote server (SSH)

  • With this option, you are specifying a public endpoint which is accessible over SSH which Cloud9 can set itself up onto. You get a few options as far as configuring the location on the server to create the Cloud9 environment, where the Node.JS binary is, which user to run as, etc.
Cloud9 Installer Progress Screen with Errors
  • Since this option is presumably on a machine without any associated Cloud9 environments, Cloud9 will SSH into this instance and configure Cloud9 for you. During this time, you’ll be able to monitor progress of the installation within the Cloud9 console — seeing exactly what’s happening during installation. As I was first going through the installation and missing dependencies, I was getting error messages and able to easily see them.

Some #AWSWishList items for Cloud9

  • Now that AWSVPC mode exists within ECS, let me use a docker task with an attached ENI as the backend resource for an environment. I actually thought this would be possible to do today, but ran into a few limitations that make this not easy to do currently.
  1. Using the “standard” (non-Fargate) ECS tasks with awsvpc network mode, you cannot assign public IP addresses to these, so you are unable to point Cloud9 to the container.
  • Provide a smaller IP range specifically for Cloud9, or some other way to better filter incoming requests from Cloud9 so security groups don’t need to be opened up to the world, or to a gigantic range of EC2 addresses.

Again, I really like what AWS has done with this and I think it’s a really cool product that definitely has a wide range of use cases. The Lambda debugging is amazing. Coming from an enterprise, I know there will be questions about operations and security, and wanted to call some of that out. Let me know if I missed anything as far as something that can be done to work around the above.

Thanks for reading!

cloud engineer & architect • passionate about tech, learning, coffee, and photography • https://matt.adorjan.co

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store