Accounts (AWS, GCP, CircleCI)
Getting Started with AWS
Signup for an AWS account
Create an IAM role for your use cases e.g. serverless-admin
You don't want to give the serverless-admin access to all feature of aws. Therefore you create a new IAM user that only has the rights a serverless developer needs e.g. access to AWS Lambda, Dynamodb, S3, API Gateway, CloudDeployment and Logs. You use this user for the AWS CLI and the Serverless framework.
More infos on the required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:ValidateTemplate"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:PublishVersion",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:ListVersionsByFunction"
],
"Resource": [
"arn:aws:lambda:eu-central-1:*:function:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:PassRole",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:FilterLogEvents"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
}
]
}Install AWS CLI
sudo pip install awscli
# use the access key id and secret access ky as describe above
aws configure
# AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
# AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
# Default region name [None]: eu-central-1
# Default output format [None]:
# for the man pages do
aws configure helpSource: https://docs.aws.amazon.com/de_de/cli/latest/userguide/cli-chap-getting-started.html
Configure multiple Profiles:
vi ~/.aws/credentials[default]
aws_access_key_id=XXX
aws_secret_access_key=XXX
[serverless-admin]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEYSet the profile:
export AWS_PROFILE=serverless-adminSource: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
Securely store your keys and secrets in your rsh file
You don't want to store your secrets in plain text in a file like .rshrc therefore you can use lpass cli [github / documentation] and store your secrets in your osx keychain and access them only by reference.
Installation
brew install lastpass-cli --with-pinentrySet variables in lastpass
Just create a secret note within lastpass:
Login to lpass in the command line
# login to lastpass
# check first if I am allready loggedin and finded the "access-token" folder
if [[ $(lpass ls) != *"access-token"* ]]; then
lpass login your@email.com
fiSet environment variable (e.g. key_id (username) and secret(password)
export AWS_ACCESS_KEY_ID=$(lpass show aws-serverless-devops --username)
export AWS_SECRET_ACCESS_KEY=$(lpass show aws-serverless-devops --password)Getting started with GCP
Setup Google Cloud Functions for Serverless:
Create a Google Cloud Billing Account
Create a new Google Cloud Project
Enable the necessary APIs
Get credentials
For serverless: Update the
providerconfig inserverless.yml
Accessing files in lpass
lpass show xxx-dev-gcp --attach att-7942806310206912061-56085Setup an ecrypted folder and sync with google drive
/Users/den/Desktop/secret/xxx/key.json
lock-secret-files
unlock-secret-filesLast updated