Instruqt Docs
  • 🚩Getting started
    • Overview
    • Setting up
      • Study Room
    • Quickstart
  • 🛤️Tracks
    • Manage tracks
      • Create tracks
      • Edit locally
      • Test tracks
      • Track logs
      • Track time limits
      • Track feedback
      • Developer workflow
      • Track tags
      • Track authors
      • Delete tracks
      • Custom layouts
      • Version control
      • Loading experience
    • Challenges
      • Create challenges
      • Challenge tabs
      • Challenge order
      • Skip challenges
      • Add quizzes
      • Assignment display
      • Assignment editor
    • Share tracks
      • Live Events
        • Instructor tools
      • Track invites
      • Embed tracks
      • Landing pages
  • 🏖️Sandboxes
    • Overview
    • Sandbox hosts
      • Add hosts
      • Custom VM images
      • Custom container images
      • Public images
      • Windows VMs
      • Website service
      • SSL certificates
    • Cloud accounts
      • Securing your cloud accounts
      • Cloud Client
      • AWS accounts
        • AWS Environment Variables
        • AWS Managed Policies
        • AWS IAM Policies
        • AWS SCP Policies
      • Azure subscriptions
        • Azure Environment Variables
        • Azure Roles
        • Azure Resource Providers
      • GCP projects
        • GCP Environment Variables
        • GCP IAM Permissions
    • Lifecycle scripts
      • Scripting overview
      • Track scripts
      • Challenge scripts
      • Example scripts
      • Helper scripts
    • UI Checks
    • Global Sandbox Settings
      • Hot start
      • Sandbox presets
      • Custom resources
      • Cloud services and regions
        • Allowed services and regions
    • Secrets and variables
      • Runtime variables
      • Runtime parameters
      • Secrets
  • ⚙️Settings
    • Integrations
      • Salesforce (Beta)
      • HubSpot (Beta)
      • HubSpot (Using zapier)
      • LTI
      • Version control
        • GitHub
    • Authentication
      • SSO
      • API keys
    • Platform
      • API
      • Webhooks
      • Track limits
  • 💡Reference
    • Feature overview
    • Instruqt CLI
      • Commands
      • Configuration files
      • Assets
    • Instruqt platform
      • Networking
      • Host machine types
      • Quotas and limits
      • Roles and permissions
      • Network access
      • Requirements
  • 🛟Resources
    • Content design tips
    • Advanced use cases
    • Templates
    • FAQ
      • Running Windows Client Hosts on Instruqt
      • Using Cleanup Scripts in SaaS and Cloud Environments
      • Instruqt Regional Configurations and Restrictions
      • Troubleshooting Instruqt CLI Authentication Issues
      • Copy a Track from One Organization to Another via CLI
      • Network Configuration: IP and MAC Address Control
      • Container Troubleshooting in Instruqt
Powered by GitBook
On this page
  • Before you begin
  • Access AWS accounts
  • Step 1: Add an Instruqt Cloud Client container to your track
  • Step 2: Add an AWS account to your track
  • Step 3: Add tabs to expose the AWS console and aws CLI
  • Environment variables
  • Setting policies and permissions

Was this helpful?

Edit on GitHub
  1. Sandboxes
  2. Cloud accounts

AWS accounts

Give learners access to AWS accounts.

PreviousCloud ClientNextAWS Environment Variables

Last updated 1 month ago

Was this helpful?

Cloud account usage can lead to abuse without the appropriate security policies in place. Always be sure to implement the appropriate policies and restrictions before exposing tracks with cloud accounts to the public.

Costs associated with cloud accounts are in addition to your standard Instruqt billing. Therefore, you should take extra precautions when allowing users to access tracks that have cloud accounts.

This guide explains how to access an Amazon Web Services (AWS) account from Instruqt.

An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.

—

Before you begin

You must have already built a track to which you can add access to an AWS account.

Service Limits AWS accounts have built in service limits. If you plan to deploy complex network infrastructure check to make sure you do not exceed the .

Access AWS accounts

It is best to add the Instruqt Cloud Client container to your track to give a learner access to an AWS account. Because the Instruqt Cloud Client container:

  • Exposes links to the AWS Console for the resources configured in the config.yml file, with the credentials required to log in.

  • Includes the aws CLI, pre-configured with the required credentials.

The AWS Console and the aws CLI make it easy for content developers and learners to access AWS resources from the sandbox.

It takes the following steps to give learners access to an AWS account:

  1. Add an Instruqt Cloud Client container to your track.

  2. Add an AWS account to your track.

  3. Add tabs to your challenges where you want to expose the AWS console or aws CLI.

Additionally, you can use:

  • A set of environment variables that are available in the aws CLI.

  • IAM policies and permissions.

Use the AWS Cloud Account template

Instead of building the track yourself, you can create a track with the AWS Cloud Template. The template includes:

  • The Instruqt Cloud Client container

  • A pre-defined AWS account

  • A challenge with tabs for AWS console and aws CLI

Step 1: Add an Instruqt Cloud Client container to your track

Step 2: Add an AWS account to your track

  1. Click + Add a cloud account on the Sandbox page. ↳ The Add cloud account pop-up opens.

  2. Select the Amazon provider.

  3. In the Name field, enter awsaccount.

  4. In the Services field, select the services that are going to be enabled.

  5. In the Regions field, select the regions that are going to be enabled.

  6. In the User IAM Policy field, enter an IAM policy in JSON format. For example to allow EC2 read-only access:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
            "Sid":"EC2AllowDescribe",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        }
      ]
    }
  7. In the Admin IAM Policy field, enter an IAM policy in JSON format. For example to allow EC2 access:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
            "Sid":"EC2DefaultAllow",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
      ]
    }
  8. In the SCP Policy field, enter an SCP policy in JSON format. This example limits the allowed instance types:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "LimitInstanceTypeRun",
          "Action": [
            "ec2:RunInstances"
          ],
          "Effect": "Deny",
          "Resource": "arn:aws:ec2:*:*:instance/*",
          "Condition": {
            "StringNotEqualsIfExists": {
              "ec2:InstanceType": [
                "t2.micro"
              ]
            }
          }
        },
        {
          "Sid": "LimitInstanceTypeModify",
          "Action": [
            "ec2:ModifyInstanceAttribute"
          ],
          "Effect": "Deny",
          "Resource": "arn:aws:ec2:*:*:instance/*",
          "Condition": {
            "ForAnyValue:StringNotEquals": {
              "ec2:Attribute/InstanceType": [
                "t2.micro"
              ]
            }
          }
        }
      ]
    }
  9. Click Save to add the AWS account. ↳ On the Sandbox page, you will see the new AWS account.

  10. Click Back to track to return to the Track dashboard page.

  1. Copy and paste the following code into config.yml:

    aws_accounts:
    - name: awsaccount
      services: []
      regions: []
      managed_policies: []

    ↳ Your config.yml file should be similar to this now:

    version: "3"
    containers:
    - name: cloud-client
      image: gcr.io/instruqt/cloud-client
      ports: [80]
      shell: /bin/bash
    aws_accounts:
    - name: awsaccount
      services: []
      regions: []
      managed_policies: []

Only enabled services and regions configured by the team administrator can be selected and/or specified. See more details in Cloud services and regions

When specifying Admin Roles, an additional admin user and API Key will be created with the designated roles.

For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.

Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.

Step 3: Add tabs to expose the AWS console and aws CLI

  1. In the Challenges section of the Track dashboard, click Add new, and select Assignment.

  2. Input these values:

    Field
    Value

    Tab name

    AWS account

    URL

    aws-ec2

    Description

    Learn to work with an AWS account

  3. Click Save.

  4. Click Tabs followed by Add new tab.

  5. Select the Your applications tab type.

  6. Enter/select these values to set the AWS console:

    Field
    Value

    Tab name

    AWS console

    Select your host

    cloud-client

    Path

    /

    Port

    80

  7. Click Save to add the tab.

  8. Click Add new tab again.

  9. Select the Terminal tab type.

  10. Enter/select these values to set the aws CLI:

    Field
    Value

    Tab name

    aws CLI

    Host

    cloud-client

  11. Click Save to add the tab.

  12. Click Back to track.

  13. Click Play track and test your AWS account track.

  1. Open a terminal and move to your track directory.

  2. Enter the following command to create a new challenge:

    instruqt challenge create --title "AWSaccount"

    ↳ Instruqt CLI created a directory for the challenge. And an assignment.md file inside the challenge directory.

  3. Open the assignment.md file in your code editor.

  4. Copy and paste the following code into assignment.md to set the AWS console and aws CLI:

    ---
    slug: aws-ec2
    type: challenge
    title: AWS account
    teaser: Learn to work with an AWS account
    tabs:
    - title: AWS Console
      type: service
      hostname: cloud-client
      path: /
      port: 80
    - title: aws CLI
      type: terminal
      hostname: cloud-client
    difficulty: basic
    timelimit: 600
    ---

    ⇨ You can add the assignment text of your liking in Markdown after line 17.

  5. Save file assignment.md.

  6. Push the track to the Instruqt platform:

    instruqt track push
  7. Play and test the track:

    instruqt track open

    ↳ Your browser opens, showing the Track overview page. Click Start track to play the track.

Environment variables

Setting policies and permissions

AWS accounts have the following settings to configure policies and permissions:

Awesome! Your learners can now access AWS accounts. But there is more. You can also give them access to:

More information can be found in the section.

Adding an AWS account to your track also sets a list of that you can use in commands and scripts. This provides the ability to access and deploy resources within the AWS account during track setup or during learner interaction with the CLI.

policies

policies

🏖️
AWS documentation
EC2 service quota defaults
cloud client
AWS environment variables
Managed policies
Identity And Access (IAM)
Service control policies (SCP)
GCP projects
Azure subscriptions