Tidy Cloud AWS issue #8 - Cloud Engineering and SSO

Hello all!

This issue contains a few bits of information regarding Pulumi Cloud Engineering Summit. We also cover the Pulumi Registry, as well as a tip for those of you who use AWS Single Sign-On (AWS SSO).

Cloud engineering Summit 2021

Last week Pulumi hosted the Cloud Engineering Summit 2021. It was two days (evenings in my time zone) of talks, discussions, and conversations with a varied group of speakers.

I quite enjoyed the summit, even though I have not seen more than a handful of the talks so far. It was a good mix, and the emphasis was more on cloud engineering as a concept than the Pulumi product/project itself. I think this is a winning approach, and I think Pulumi should be proud of their effort with the summit.

You can look at the summit website to get to the video replay of the sessions, or go directly to the YouTube play list. Some talks I have seen really got met thinking about what we do as cloud engineers in different ways, which I think is of great value.

Good work, Pulumi!

Pulumi Registry

Last week, Pulumi announced the Pulumi Registry. It is a great addition!

If you are not familiar with Pulumi, it is a toolkit that allows you to write and define infrastructure as software, using regular programming languages. Pulumi includes some useful features to allow people to build and package infrastructure components defined in software.

The purpose of a public registry is to allow you to find, discover and share such components. There are more Pulumi contributions than 3rd party contributions at the moment. This is quite natural, and it will be interesting to see how it develops. I quite like the design of the website, and the filtering mechanisms that include the type of resource (native provider, bridged provider, and component), as well as use case (e.g. database, monitoring, network, etc). The latter one is quite nice, I think. There is also free-text search as well.

The other major players that use regular programming languages to define cloud infrastructure also have a similar website, Construct Hub, which is in developer preview. This is for AWS CDK, CDK for Terraform, and CDK for Kubernetes. This one also mainly contains official packages, with some 3rd party contributions.

I think the initial impression for a user is better with the Pulumi Registry. Construct Hub is overwhelming when you first go to the website. It will be interesting to see how these have developed in a few months!

AWS SSO util

Do you think programmatic/scripted AWS credential handling with AWS SSO is cumbersome? You are not alone. It used to be a pain point for quite a while.

If you use AWS, chances are that you have several AWS accounts. If you also have set up your multi-account structure somewhat recently, chances are that you use AWS Single Sign-On (AWS SSO). It is the case if you use AWS Control Tower to manage your AWS accounts, for example.

AWS SSO works fairly nicely, given the restrictions of the AWS Console (only one account in the same browser can be active). Its interface for programmatic/scripted access to copy temporary credentials in environment variables is cumbersome, though.

The AWS CLI v2 supports handling AWS credential profiles with AWS SSO, but not all developer toolkits support the SSO profile configurations. For example, if you use Typescript or Javascript with AWS SDK v2, you are out of luck, in that regard.

One nice utility help make AWS SSO usage better, it is the aws-sso-util package. Described as a set of utilities that smooth out the rough edges of AWS SSO, it is definitely a useful tool to have when you use AWS SSO.

With programmatic/scripted access, it adds a fallback authentication mechanism that gets triggered, in case what you use does not support AWS SSO credential profiles. So from a user perspective, it just works and you do not have to think much about it. The tool also provides a nicer experience to set up credential profiles for AWS SSO than the regular AWS CLI.

You can find information about the tool instructions at its Github page (https://github.com/benkehoe/aws-sso-util). The author Ben Kehoe has also written a good article about some good AWS credentials practices, which I can recommend reading.

You can find the contents of this bulletin and older ones, and more at Tidy Cloud AWS. You will also find other useful articles around AWS automation and infrastructure-as-software.

Until next time,

/Erik