AWS – Bastions with user-managed SSH keys

I recently architected a bastion solution to let employees manage their own SSH keys from the AWS interface. CodeCommit actually let you upload directly your SSH keys inside the IAM section of your user, a bit like on Github.

Benefits of this solution:

  • Nothing to manage once installed and configured
  • Let users update their public SSH keys themselves inside the console
  • Deploy the keys automatically and keep them up-to-date on all bastions and instances
  • Add and remove users on all Linux boxes automatically when you add/remove accounts in IAM
  • Linux usernames are generated based on IAM account email: paul.chapotet@domain.com -> pchapotet
  • Keys are automatically deployed on bastions and instances based on the VPC where they are located
  • Inexpensive: the lambda is running only when there is a change in IAM:
    • UploadSSHPublicKey, when anyone adds a SSH Key to an IAM user
    • UpdateSSHPublicKey, when anyone makes active or inactive a SSH key
    • DeleteSSHPublicKey, when anyone deletes a SSH Key
    • DeleteUser, when anyone deletes an IAM user
  • A single S3 GET operation is needed to update the SSH keys from bastions and instances

In the diagram above, I assume that you are following AWS best practices and that you have a central account to manage IAM users, one account for production and one for your development environment. Interested in digging into the code? It’s available here: https://github.com/pchapotet/aws-bastions

Google Cloud Platform – Start stop instance scheduler

I recently worked on a feature missing on GCP: a start stop scheduler for my GCP instances based on labels. I was first excited about using Cloud functions, but it seemed App Engine was the way to go for several reasons: it supports python and the task scheduling feature is already embedded.

I had a few requirements:

  • Ability to schedule start and stop of GCE instances every hour
  • Extra options to run only during working days or weekends, default is every day
  • It must work across all projects inside an organisation if you give the right permissions to your default App Engine service account
  • Inexpensive to run (or free), who wants to pay for a feature that should be available by default in the cloud?
    • According to https://cloud.google.com/free/docs/always-free-usage-limits you should have 28 instance hours of App Engine Standard free per day.
    • If you are already using App Engine for something else, the script is easy to merge with your application code.
    • If you don’t want to use App Engine, the python code can be executed from any other machine with the right credentials, even your laptop if not critical.

To deploy the solution, please follow the instructions from the following repository: https://github.com/pchapotet/gcp-start-stop-scheduler

Once it is installed, simply add a few tags to your instances and enjoy the automation! You can run it only during working days (Monday to Friday) with ‘d’ option and during weekend (Saturday and Sunday) with ‘w’ option. Feel free to comment and raise Github issues if you see anything to improve.

With just 2 labels, it starts your instance at 8am and stops it at midnight every day during working days.