Setting Up Environment Images
With CloudShare, you decide what goes inside the environment that each of your end users (students, POC users, etc.) work on, depending on the software you require based on Amazon Machine Images (AMIs).
You can choose any of the following:
- AWS public AMIs
- Your own custom AMIs on AWS
- Marketplace AMIs
Note
CloudShare’s snapshot mechanism does not save VMs that are created in AWS. Any changes made in an AWS VM will be deleted when the environment is deleted. Any changes you want to make on your AWS image should be done directly on your custom AMI in your AWS account.
An AWS key-pair is used to enable remote access to the VM (Linux) or password reset privileges (Windows). For each environment, CloudShare uses a keypair named cs-key which must be created for each VM in the Terraform script. See an example in the following snippet:
# Change "instance_type" according to your needs
# Change "ci-key-username" to your AMI username
# The "Name" tag will be the VM name as seen in the CloudShare viewer.
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_instance" "web" {
ami = "${data.aws_ami.ubuntu.id}"
instance_type = "t2.micro"
key_name = "cs-key"
tags = {
Name = "Ubuntu 20.04"
ci-key-username = "ubuntu"
}
}
Note
By default, CloudShare assigns ec2-user as the Linux User Name. To automatically define a custom User Name for a Linux VM at the time of creation, add a tag with the key ci-key-username, together with the desired User Name as its value. (An example is shown in the example snippet above.) CloudShare will use this username in order to log in to that machine. For more details about this capability, click here.
Using Custom AMIs
Because we know that you will want to provide images containing your own software, CloudShare enables you to incorporate custom AMIs into your environments.
To use a custom AMI that you provide, perform the following steps:
Step 1: Create the AMI in your AWS account.
Step 2: Grant CloudShare permission to access your AMI.
- In the Console of your AWS account, select IAM service > Roles > Create role
- Choose Another AWS account and insert the CloudShare account ID into the Account ID field. Contact CloudShare Support for CloudShare’s account ID.
- On the Create Policy page, use the following JSON:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0", "Effect": "Allow",
"Action": "ec2:ModifyImageAttribute", "Resource": "*"
}]
} - Name the newly-created role ‘ModifyImage’.
Step 3: Make the AMI accessible to your CloudShare account.
Add references to your custom AMIs through your CloudShare Admin interface:
- Log in to your CloudShare account.
- From the left side menu, click External Resources > AWS AMIs.
- Click Add New on the top bar of the AMIs pages.
- Enter the details of your custom AMI.
- Optionally, if your AMI is encrypted, enter the encryption details of your AMI. (See more details in the following section.)
Upon completion of this procedure, your custom AMI will be accessible by CloudShare.
Note
If the image also exists in additional AWS Regions, perform ACTION 3 for those images in each Region as well. (They are each considered a different AMI, since they have unique AMI IDs).
Encrypted AMIs
When your AMI is encrypted, it needs to be encrypted using a customer managed key (CMK).
In addition to the procedure detailed above in ‘Using Custom AMIs’, perform the following steps:
Step 1: Update the ModifyImage role by adding another policy with the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow", "Action":
[
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:PutKeyPolicy",
"kms:GetKeyPolicy"
],
"Resource": "arn:aws:kms:REGION:KEY_ACCOUNT_ID:key/KEY_ID"
}
]
}
Replace the REGION, KEY_ACCOUNT_ID and KEY_ID parameters above with the appropriate CMK data. For example:
arn:aws:kms:us-west-2:453078712345:key/9ec319c5-6179-4c17-a37b-398f37712a34
Step 2: Allow use of the key, and editing by the ModifyImage role on the key’s policy:
{
"Sid": "Allow use of the key",
"Effect": "Allow", "Principal":
{
"AWS": "arn:aws:iam::MODIFY_IMAGE_ROLE_ACCOUNT_ID:role/ModifyImage"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:PutKeyPolicy",
"kms:GetKeyPolicy"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
Principal": {
"AWS": "arn:aws:iam::MODIFY_IMAGE_ROLE_ACCOUNT_ID:role/ModifyImage"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
Replace the MODIFY_IMAGE_ROLE_ACCOUNT_ID parameter above with the ID of the account where the ModifyImage role was created.
Marketplace AMIs
CloudShare also enables you to utilize the massive selection of AMIs that are available from the AWS Marketplace, to your benefit.
If you need to use an AMI which requires a subscription, contact your CloudShare Support representative and provide one of the following details:
- the URL, or
- the Product ID of the Marketplace AMI.
Note
In the near future, CloudShare will introduce a new capability enabling you to add Marketplace AMIs directly from the CloudShare Admin console.
Note
Marketplace AMIs can change without warning, meaning that your IDs can also change. If there is an unexpected error and the AMI is unavailable, check the Marketplace to see if it's been disabled or deprecated.
Comments
0 comments
Please sign in to leave a comment.