Skip to main content

Get started

This is the guide for new technical staff working in OPG. If you just joined, 👋 welcome!

If you are having trouble with this guide, you can ask your colleagues or the #opg-developers channel in Slack.

1. Install the Homebrew package manager (on macOS or Linux)

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Check out this list of recommend tools to install

2. Set up your GitHub account

  1. Set up a GitHub account. Existing personal accounts are fine to use.
  2. Ask #ask-operations-engineering to add you to the ministryofjustice organisation. You will have to be added to the OPG team to get access to repos. Remember to click accept in the GitHub email invitation.
  3. Generate and register an SSH key pair for your laptop for your GitHub account. You should use a 4096 bit key.
  4. While you are here, associate your name and email to your git commits:

    $ git config --global user.email "friendly.giraffe@digital.justice.gov.uk"
    $ git config --global user.name "Friendly Giraffe"
    

3. Get AWS access

To work with products and services at OPG, you will require an account in AWS.

Request an account

AWS accounts are all managed in code using terraform. They are defined in the opg-org-infa repository, If you have been put into the OPG team on GitHub, your AWS account would have been created at the same time.

Ask your team’s DevOps engineer to set your password.

Sign in to AWS

To sign in, go to the OPG AWS Sign page, and use the following credentials:

  • “Account ID or alias”: opg-identity
  • Username: firstname.lastname
  • Password: your password

Set up your MFA

You have to set up Multi-Factor Authentication (MFA).

  1. Sign in to AWS account
  2. Select or go to IAM service.
  3. Click on “Users” in the menu bar on the left hand side
  4. Enter your name
  5. Click on the link for your name
  6. Click on the security credentials tab
  7. Click on the “Manage” link next to “Assigned MFA device”
  8. Follow the steps to set up your MFA device NB: The “Device name” needed for the MFA will need to link to your identity. It should look something like firstname.surname-authy
  9. Log out and log back into your AWS account

Get the appropriate access

An account in AWS does not give you access to anything, you’ll need to be given rights.

Ask your teams DevOps engineer to pair with you on getting the appropriate access.

4. Set up AWS Roles

Identity is the account where your user identity is stored, but there are no usable resources in this account. To perform useful work, you will need to switch up to a role in another account. See the AWS docs for detailed information on how to do this.

Here is a small diagram that explains what each role is for:

AWS Roles

Extended role switch plugin

By default the AWS console only stores a limited number of roles in its history, for convenience you may want to try using the aws-extend-switch-roles Chrome extension.

You will be able to add the roles you require into the plugin. All the roles can be found here

5. Set up AWS Vault

Install AWS Vault

AWS Vault stores IAM credentials in your operating system’s secure keystore and then generates temporary credentials from those to expose to your shell and applications.

brew install --cask aws-vault

Generate a pair of access keys

You have to generate an AWS Access Key and Secret Key to be able to perform operations with AWS on the command-line.

  1. Sign in to the AWS Console.
  2. Click on your email address in the top right.
  3. Click ‘My Security Credentials’.
  4. Click ‘Create access key’.
  5. The secret access key will only be show once, so download the access key or keep them on screen.

Setup aws-vault with opg-identity

  1. Run the add command
aws-vault add identity
  1. You will be prompted for an Access Key ID which will be on you screen in the AWS Console.
  2. Hit Enter, Now you will be prompted for secret access key.
  3. Next open your profile in a text editor and edit it to use your MFA mfa_serial.
    The file is ~/.aws/config and add
mfa_serial=arn:aws:iam::631181914621:mfa/<aws.mfa-device-name>

NB: This the same as your MFA key, it will probably look like firstname.surname-authy. Make sure that when you are adding to this file you put all text underneath the “[profile identity]”.

  1. You can run the following command to make sure everything works
aws-vault exec identity -- aws sts get-caller-identity
This page was last reviewed on 25 March 2024. It needs to be reviewed again on 9 September 2024 by the page owner #opg-webops-community .
This page was set to be reviewed before 9 September 2024 by the page owner #opg-webops-community. This might mean the content is out of date.