Frequently Asked Questions

GMAO SVS Visualization

Who can get access to the SMCE?

The SMCE is organized by projects, and each project must be funded by NASA. This could be an internal NASA project or a ROSES funded research project. The Principal Investigator for an SMCE project is usually the PI for the larger named project, but the PI may also delegate that role as they see fit. We refer to the project’s PI as the NASA PI, simply because the funding for the project comes from NASA. The PI has complete control over who is allowed to join their project and to define what level of access is available for each user. In addition to the PI, projects are required to designate and provide a Project System Administrator who will be responsible for maintaining the systems and services for the project. The SMCE team can provide support for certain activities in the cloud, such as supporting the Science Analytics Platform. However, this needs to be discussed with the PI prior to obtaining access.

Who pays for the resources?

The projects pay for the AWS resources used in the SMCE with the NASA PI being responsible for the NASA funding. Monthly budget and spending reports are provided to the PI, and the SMCE team works hard to identify ways to continually reduce a project’s cost. Some seed funding is available on a case-by-case basis to provide initial usage and guidance for projects. This provides PIs with a quick way to get started to see how well the cloud meets requirements and to obtain a more accurate cost expectation based on usage of resources.

Add Daskhub/Cognito User

In AWS console search for “cognito”. Click on the Cognito box that appears or just hit enter.

Open AWS Cognito in the appropriate AWS Account and Region (ex. smce-main, us-east-1)

Navigate to your project’s AWS Cognito User Pool

Click “Create User”

Complete the “Create User” wizard

  • Send both email and phone SMS invitation
  • Username
    • For NASA – Should be the NASA AUID
    • Non-NASA – Up to the User, follow similar naming convention
  • Email Address
  • Phone – Must start with +1 then no hyphens or parentheses
  • Set SMCE-compliant temporary password (uppercase, lowercase, number, special char)
  • Note: If you need to reset a temporary password that has expired, run the following AWS CLI command in a CloudShell:
aws cognito-idp admin-set-user-password --user-pool-id <POOL_ID> --username 
<USERNAME> --password <PASSWORD> --no-permanent

SSH Access To an EC2 Instance

This documentation will explain how to create and add the public ssh key of a Linux OS User on an SSH server. This assumes that the OS user has already been created at the destination machine.

Definitions
  • Source machine: Refers to the system where the user will be connecting from. This is the SSH client.
  • Destination machine: Referes to the system where the user will connnect to. This is the SSH server/host.
Steps
  1. Create SSH keys Run ssh-keygen leaving the default options. Most modern Linux OS already come with this command.
    • This will create 2 files:
      • ~/.ssh/id_rsa (Private Key)
      • ~/.ssh/id_rsa.pub (Public Key)
  2. Copy contents of public key
    • The default location is ~/.ssh/id_rsa.pub
  1. Make sure the following file exists in the home directory of the user you would like to connect as.~/.ssh/authorized_keys
    • Note: If the file does not exist yet, you can simply create it.
  2. Make sure the ~/.ssh directory and the ~/.ssh/authorized_keys file have the read/write permissions only for the file owner.
    • chmod -R 600 /home/<user>/.ssh
  3. Make sure that the ~/.ssh directory and the ~/.ssh/authorized_keys file are owned by the correct user. It should be owned by the owner of the /home/<user> directory
    • chown -R <user>.<user> /home/<user>/.ssh
  4. Paste the contents of the public key into /home/<user>/.ssh/authorized_keys

From the source machine, you should now be able to use the following command to log into the destination EC2 instance: * ssh <user>@<destination> -i ~/.ssh/id_rsa

Resetting/Changing IAM user password with Console Access

Access the user’s account via IAM > Users > select username

If credentials expired and user is added to “AccountDisabled” group remove before proceeding.

Reenable Console Access Go to the Security Credentials tab and then click on manage console access

Create or autogenerate a new password and enable console access Important: Select “Require password to reset“

Download temporary credentials a CSV file and securely share with user. Note: For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

Create IAM User

Before creating IAM User:

  1. Get PI authorization for the particular user.
  2. Request Signed User Agreement
  3. Request intended User read General Security Training Document and for them to provide a statement that they read it.
  4. If intended User is to have Elevated Privileges, they must also read Elevated Privileges document and provide statement that they have read it.

Note: User Agreement and training documents cannot be posted in a public area and must be emailed to a known individual. Also, do not forget step 14 below.

Adding a User

1. Open the IAM Console in your projects AWS account

2. On the left toolbar click on “Users”

3. On the top right of the screen click on “Add Users”

4. Enter the desired Username

5. For humans check “Password – AWS Management…” for service accounts check “Access Key- Programmatic”

6. Make sure “Require password reset” is checked

Permissions

7. Click “Next – Permissions”

8. All IAM Users are added to “SMCE-UserRestrictions” IAM Group. If the user is a PI, SA, or fluent in AWS, add to “SMCE-ProjectAdmins”. All other IAM Users should be added to the “SMCE-ProjectPowerUsers” IAM Group.

Tags

9. Click “Next – Tags”

10. The tag Key is ’email’ and tag Value is ‘{email-address}@nasa.gov’ (Lowercase ‘e’)

Review

11. Click “Next – Review” and verify the information is correct

12. Click “Create User”

Final Steps

13. Send email to the new User and have them check for the auto generated email in Microsoft Quarantine.

14. Send Signed User Agreement and statements from User that the General and if required the Elevated Privileges Training documents were read, and the IAM userid that you assigned to your new IAM User to 

smce-admin@lists.nasa.gov

“This research has made use of the NASA Goddard Science Managed Cloud Environment (SMCE), which is a service of the Computational & Information Sciences and Technology Office at the NASA Goddard Space Flight Center.”