Working with cloud providers

Last updated:

AWS

How do I get access?

Ask in the #team-infrastructure Slack channel for someone to add you.

To give someone access (important to follow these steps!):

  1. navigate to IAM
  2. Use the Add Users button at the top right to add their PostHog email as username and select 'password'.
  3. Important! Untick 'User must create a new password at next sign-in', as that'll cause issues with MFA.
  4. Pick AWS Management Console access and add them to the Team group
  5. Slack the username, password and console link to new user.
  6. User has to log in, set up MFA, log out, and then change password. They may need to log out again.

IMPORTANT: You must log out and then log back in!

This is because of MFA. Just adding MFA isn't quite enough for AWS console so if you are seeing a bunch of really weird permissions errors. Log out, then log back in using your MFA token. This should resolve everything!

Permissions errors using AWS CLI

If you see something like:

<my-user> is not authorized to perform: <action> on resource: <resource> with an explicit deny

Note the "with an explicit deny" in the end which likely is due to the fact that we force Multi-Factor Authentication (MFA). Follow this guide to use a session token.

TLDR:

  1. Look up your security credential MFA device name from AWS console from https://console.aws.amazon.com/iam/home#/users/<user-name>?section=security_credentials
  2. Run aws sts get-session-token --serial-number <arn-of-the-mfa-device> --token-code <code-from-token> --duration 129600 where code-from-token is the same code you'd use to login to the AWS console (e.g. from Authy app).
  3. Run the following code, replacing the placeholder values with the appropriate ones:
export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
export AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output
  1. Unset them when done (after they expire before running get-session-token again):
unset AWS_ACCESS_KEY_ID && unset AWS_SECRET_ACCESS_KEY && unset AWS_SESSION_TOKEN

Deploying PostHog

See docs here.

GCP

How do I get access?

Ask in the #team-infrastructure Slack channel for someone to add you.

To give someone access: Navigate to PostHog project IAM and use the +Add button at the top to add their PostHog email address and toggle Basic -> Editor role.

Deploying PostHog

See docs here.

DigitalOcean

How do I get access?

Ask in the #team-infrastructure Slack channel for someone to add you.

To give someone access: navigate to PostHog team settings page and use the Invite Members button to add their PostHog email address.

Edit 1-Click app info

This can be done in the vendor portal, click on PostHog with Approved status to edit the listing.

The code and setup files are in digitalocean/marketplace-kubernetes repository.

Deploying PostHog

See docs here.

Questions?

Was this page useful?

Next article

How-to access PostHog Cloud infra

We've all been there. Something was just merged and now there is a bug that you are having a real hard time pinning down. You hate to do it... but you need to get on a pod or instance to troubleshoot the issue further. SHAME Prerequisite Make sure you've followed this guide to get AWS access. !!! Please follow the whole document !!! Connect to a Kubernetes pod After you got access to the EKS cluster and our internal network: kubectl -n posthog get pods (get names of pods, you'll want a "web…

Read next article