AWS accounts
Give learners access to AWS accounts.
This guide explains how to access an Amazon Web Services (AWS) account from Instruqt.
An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.
You must have already built a track to which you can add access to an AWS account.
Service Limits
AWS accounts have built in service limits. If you plan to deploy complex network infrastructure check to make sure you do not exceed the EC2 service quota defaults.
It is best to add the Instruqt Cloud Client container to your track to give a learner access to an AWS account. Because the Instruqt Cloud Client container:
- Exposes links to the AWS Console for the resources configured in the
config.yml
file, with the credentials required to log in. - Includes the
aws
CLI, pre-configured with the required credentials.
The AWS Console and the
aws
CLI make it easy for content developers and learners to access AWS resources from the sandbox.It takes the following steps to give learners access to an AWS account:
- 1.Add an Instruqt Cloud Client container to your track.
- 2.Add an AWS account to your track.
- 3.Add tabs to your challenges where you want to expose the AWS console or
aws
CLI.
Additionally, you can use:
- A set of environment variables that are available in the
aws
CLI. - IAM policies and permissions.
Use the
AWS Cloud Account
templateInstead of building the track yourself, you can create a track with the AWS Cloud Template. The template includes:
- The Instruqt Cloud Client container
- A pre-defined AWS account
- A challenge with tabs for AWS console and
aws
CLI
🌐 Web UI
💻 Instruqt CLI
- 1.
- 2.Click the TRACK_NAME of the track where you want to add AWS account access. ↳ Instruqt shows the corresponding Track overview page.
- 3.Click Track details followed by Sandbox to open the Sandbox page.
- 4.Click Add container +. ↳ The Create container page opens.
- 5.Enter/select these values:FieldValueName
cloud-client
Imagegcr.io/instruqt/cloud-client
Ports80
Shell/bin/bash
- 6.Click Save to add the container. ↳ On the Sandbox page, you will see the new container.
- 1.Open the file
config.yml
in your code editor. - 2.Copy and paste the following code under the
containers
property:- name: cloud-clientimage: gcr.io/instruqt/cloud-clientports: [80]shell: /bin/bash
🌐 Web UI
💻 Instruqt CLI
- 1.Click Add AWS account + on the Sandbox page. ↳ The Create AWS account page opens.
- 2.In the Name field, enter
awsaccount
. - 3.In the IAM Policy field, enter the following JSON:{"Version": "2012-10-17","Statement": [{"Sid":"EC2DefaultAllow","Effect": "Allow","Action": "ec2:*","Resource": "*"}]}
- 4.In the SCP Policy field, enter the following JSON:{"Version": "2012-10-17","Statement": [{"Sid": "RequireLessThanXLInstanceType","Effect": "Deny","Action": "ec2:RunInstances","Resource": "arn:aws:ec2:::instance/*","Condition": {"StringNotEquals": {"ec2:InstanceType": ["t2.nano"]}}}]}
- 5.Click Save to add the AWS account. ↳ On the Sandbox page, you will see the new AWS account.
- 6.Click Back to return to the Track overview page.
- 1.Copy and paste the following code into
config.yml
:aws_accounts:- name: awsaccountmanaged_policies: []↳ Yourconfig.yml
file should be similar to this now:version: "3"containers:- name: cloud-clientimage: gcr.io/instruqt/cloud-clientports: [80]shell: /bin/bashaws_accounts:- name: awsaccountmanaged_policies: []
🌐 Web UI
💻 Instruqt CLI
- 1.Click Add Challenge on the Track overview page. ↳ The New challenge page opens.
- 2.Enter/select these values:FieldValueTitle
AWS account
Slugaws-ec2
Assignment > Editor tabMarkdown text of your likingTeaserLearn to work with an AWS account
- 3.Click Save to add the challenge. ↳ On the Track overview page, you will see the new challenge.
- 4.Click Edit on the new challenge.
- 5.Click Tabs followed by New tab. ↳ The New tab page opens.
- 6.Enter/select these values to set the AWS console:FieldValueTitle
AWS console
TypeService
Hostcloud-client
Path/
Port80
- 7.Click Save to add the tab.
- 8.Click New tab again.
- 9.Enter/select these values to set the
aws
CLI:FieldValueTitleaws CLI
TypeTerminal
Hostcloud-client
- 10.Click Save to add the tab. ↳ On the Challenge tabs page, you will see the new tabs.
- 11.Click Back followed by Build track.
- 12.Click Start track and test your AWS account track.
- 1.Open a terminal and move to your track directory.
- 2.Enter the following command to create a new challenge:instruqt challenge create --title "AWSaccount"↳ Instruqt CLI created a directory for the challenge. And an
assignment.md
file inside the challenge directory. - 3.Open the
assignment.md
file in your code editor. - 4.Copy and paste the following code into
assignment.md
to set the AWS console andaws
CLI:---slug: aws-ec2type: challengetitle: AWS accountteaser: Learn to work with an AWS accounttabs:- title: AWS Consoletype: servicehostname: cloud-clientpath: /port: 80- title: aws CLItype: terminalhostname: cloud-clientdifficulty: basictimelimit: 600---⇨ You can add the assignment text of your liking in Markdown after line 17. - 5.Save file
assignment.md
. - 6.Push the track to the Instruqt platform:instruqt track push
- 7.Play and test the track:instruqt track open↳ Your browser opens, showing the Track overview page. Click Start track to play the track.
Adding an AWS account to your track also sets a list of environment variables that you can use in commands and scripts:
Environment variable | Description |
INSTRUQT_AWS_ACCOUNTS | A comma-separated list of project names that can be used to fill ${NAME} in the variables below |
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_NAME | This injects the account display name |
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_ID | This injects the account ID |
INSTRUQT_AWS_ACCOUNT_${NAME}_USERNAME | This injects the username that can be used to sign in to the IAM user |
INSTRUQT_AWS_ACCOUNT_${NAME}_PASSWORD | This injects the password that can be used to sign in to the IAM user |
INSTRUQT_AWS_ACCOUNT_${NAME}_AWS_ACCESS_KEY_ID | This injects the access key id for this account |
INSTRUQT_AWS_ACCOUNT_${NAME}_AWS_SECRET_ACCESS_KEY | This injects the secret access key for this account |
This example shows the id of the AWS account from a terminal by using two environment variables. The value of the
INSTRUQT_AWS_ACCOUNTS
environment variable is inserted in the INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_ID
environment variable.To follow along:
- 1.Start your AWS account track and start the first challenge.
- 2.Move over to the
Cloud CLI
terminal and enter the following command:eval echo "\${INSTRUQT_AWS_ACCOUNT_${INSTRUQT_AWS_ACCOUNTS}_ACCOUNT_ID}"↳ The terminal shows the id of your AWS account project.
AWS accounts have the following settings to configure policies and permissions:
- Managed policies
- Identity And Access (IAM) policies
- Service control policies (SCP) policies
An AWS managed policy is a standalone policy that is created and administered by AWS.
The managed policies method is easier than the IAM and SCP policies but may grant learners more than the minimum access required to complete a track. The following example grants Virtual Private Cloud (VPC) administrator access, which allows learners to create and manage VPC networks:
🌐 Web UI
💻 Instruqt CLI
Update your AWS account by entering the following in the Managed Policies field:
arn:aws:iam::aws:policy/AmazonVPCFullAccess
And clicking Add.
Edit your
config.yml
file to include this content:aws_accounts:
- name: awsaccount
managed_policies:
- arn:aws:iam::aws:policy/AmazonVPCFullAccess
IAM policies define permissions for an action regardless of the method that you use to perform the operation.
For more fine-grained control, you can set IAM policies. The following example sets a managed policy that limits the EC2 instance types to only several t2 and t3 instances. Note the use of the pipe symbol
|
to indicate that a multi-line JSON policy will follow.🌐 Web UI
💻 Instruqt CLI
Update your AWS account by entering the following in the IAM policy field:
|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireLessThanXLInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"t3.nano",
"t3.micro",
"t3.small",
"t3.medium",
"t3.large"
]
}
}
}
]
}
Edit your
config.yml
file to include this content:aws_accounts:
- name: awsaccount
iam_policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireLessThanXLInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"t3.nano",
"t3.micro",
"t3.small",
"t3.medium",
"t3.large"
]
}
}
}
]
}
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
For more fine-grained control, you can also set SCP policies. The following example disallows large EC2 instance types:
🌐 Web UI
💻 Instruqt CLI
Update your AWS account by entering the following in the SCP policy field:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireLessThanXLInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.large"
]
}
}
}
]
}
Edit your
config.yml
file to include this content:aws_accounts:
- name: awsaccount
scp_policy: |-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireLessThanXLInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.large"
]
}
}
}
]
}
Awesome! Your learners can now access AWS accounts. But there is more. You can also give them access to:
Last modified 5mo ago