This test suite requires both Google Cloud Products and AWS access credentials.
These tests rely on test service providers (SPs) to validate behaviors. These SPs run on AWS EC2 instances. Because they are only needed for these tests, they do not run all the time. Therefore the test environment needs to be able to turn these instances on and off, so that humans don't have to.
GCP is used to upload test artifacts ("webdriver reports") as well as secrets (namely, test identity credentials). Developers with requisite permissions can access and edit those secrets here.
[REQUIRED]
In order to run these tests, you must have a GOOGLE_APPLICATION_CREDENTIALS environment variable set. The variable
needs to point to the /path/to/some.json; the JSON file must have been downloaded from GCP after creating a Service Account.
This file should be unique to every user, and should not be shared.
If you are an IAM developer with access to our GCP Aux. project, you can create a service account yourself. Otherwise, have someone with access do this for you and send you the JSON. This credential file cannot be retrieved; if you lose it, another one must be created, and the original revoked.
This is a one-time requirement.
- Log in to GCP using the link in the first section of this document.
- In the search bar, type "Service Accounts"; click the entry that reads "Service Accounts."
- Click on "+ Create Service Account"
- Fill in the form:
- [Service account name] "uwit-iam-dev-${YOUR_NETID}"
- [Service account ID] "uwit-iam-dev-${YOUR_NETID}"
- [Service account description] "Developer access to the IAM GCP Aux. project."
- Click "Continue"
- On the next page, add the following roles:
- Secret Manager Secret Accessor
- Secret Manager Secret Version Manager (because that's not confusing at all)
- Storage Object Viewer
- Click "Continue"
- Click "Done." You will be taken back to to the service account listing.
- Locate and click on the service account you just created.
- Under "Keys," click "ADD KEY" => "Create new key." Select JSON.
- Download this key to your machine; you should only ever have to do this once, so put this somewhere central and permanent.
It is recommended to export this key as part of your terminal activation. Users on Linux or MacOS can run:
echo "export GOOGLE_APPLICATION_CREDENTIALS=/path/to/some.json > ~/.bash_profile
/path/to/some.jsonshould be replaced with the path to the JSON file you saved in step 11 above.~/.bash_profilemay need to be replaced with~/.bashrc,~/.zshrcor some other name, depending on your personal terminal setup and preferences.
This is not required - There are shared access keys used by default that are accessed at runtime using your Google credentials (above). Only do this if you know you have a new use case!
For programmatic access to AWS, you need to first log in to the AWS console using the link in the first section of this document.
If offered the option on sign in, choose "sandbox-iamteam."
- Click on "Services"
- Search for "IAM", and click on the entry.
- Click on "Users."
- Click "Add user."
- Fill in the form:
- User name => your UW netid
- Access type => Programmatic Access (Do not select console management access!)
- Click "Next: Permissions"
- Click the box next to "idp-web-test-runners".
- Click "Next: Tags"
- Click "Next: Review"
- Click "Create user"
- Copy the access key id and paste it somewhere safe. (We'll come back to it in a minute.)
- Click "Show" under "Secret Access Key", copy it, and paste it somewhere safe.
- Make very sure you have pasted the secret access key; you won't be able to see it again.
- Click "Close"
These should be exported as environment variables with the following names:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
You may also consider installing the AWS cli
(pip install awscli), running aws config, and pasting the entries there.
Either option will work for Boto3, which creates AWS clients.