Architecture
ConsoleMe
Last updated
Was this helpful?
ConsoleMe
Last updated
Was this helpful?
ConsoleMe is a Python Tornado web application backed by Redis, DynamoDB, and (optionally) S3. For local development, our docker-compose-dependencies.yaml file can be used for local DynamoDB and Redis.
ConsoleMe utilizes a hub and spoke architecture. The "Hub Account" is the account you have ConsoleMe on. The "Hub Role" (also called the "Central Role") is what ConsoleMe uses. This role is directly attached to the EC2 instances or ECS/K8s containers that ConsoleMe is running on. There is only one Hub Role per deployment of ConsoleMe.
There should be one "Spoke Role" on each of your AWS accounts, including on the Hub Account. ConsoleMe will use its Hub Role to assume the Spoke Roles across your various accounts to cache resources or update permissions.
The required IAM permissions for the Hub and Spoke roles are here.
The one exception to the hub-and-spoke model is when ConsoleMe is brokering credentials to roles, to either provide AWS console access or CLI credentials through Weep. In this case, ConsoleMe's Hub Role needs direct access to assume the requested role in order to broker credentials.
ConsoleMe makes use of several DynamoDB tables. If you plan to have a multi-region deployment of ConsoleMe, you must make these DynamoDB tables global in your production environment. The configuration of these tables is defined here.
consoleme_iamroles_global
A cache of your IAM roles.
consoleme_config_global
consoleme_policy_requests
User-submitted policy requests
consoleme_resource_cache
consoleme_cloudtrail
An aggregation of recent cloudtrail errors associated with your resources. (Note: The OSS code will not generate this for you yet)
Redis is used to cache content for quick retrieval by the frontend. By default, this information is cached in the default redis logical database (0).
Redis is also used by the Celery Beat scheduler and workers to negotiate and execute Celery tasks. By default, ConsoleMe will assign logical database 1 for this purpose.
Here is a non-exhaustive list of the common redis keys and expected values that you might find in your redis cache:
ALL_POLICIES
A json listing of all roles and resources used for the /policies
endpoint.
CREDENTIAL_AUTHORIZATION_MAPPING_V1
AWSCONFIG_RESOURCE_CACHE
SNS_TOPICS
A list of SNS topics discovered by querying SNS across your accounts.
ALL_POLICY_REQUESTS
A list of all historic policy requests used by the /requests
endpoint
ALL_AWS_ACCOUNTS
IAM_MANAGED_POLICIES
A list of all of your IAM managed policies. This is used to populate the managed policy typeahead in ConsoleMe's policy editor.
IAM_ROLE_CACHE
A list of all of your IAM roles and their known state. This is used to quickly retrieve information about a role.
Data typically stored to Redis can also be stored in S3. This is useful if you want to make use of this data outside of ConsoleMe, or if you want a way to quickly and easily restore data that isn't in Redis.
ConsoleMe's
Resources cached from
A cache of your (ie: Which users and groups are allowed to retrieve credentials for which roles)
A discovered by querying AWS Config
A list of all of your valid