-
GCP: Managing IAM Access Control Across Projects -- The Simpler Version
GCP resources are organized into projects – all resource IDs and IAM principles are grouped under a project ID. This means that by default roles assigned to a principle (e.g. a user or service account) are scoped only to project resources. This can be tricky if say your images are in one project’s storage bucket and your app is running in another
If you want to provide a service principle in one project access to resources in another , the approach is not obvious, nor is it well documented.
-
Publish Free Static Websites With Firebase, Hugo and Google Cloud Builder -- Part 1
Static site frameworks like Hugo allow you to manage content with Markdown and publish content via scalable hosting platforms like Firebase hosting. Uptime, performance and operations cost per user can’t be beat – you can easily hit millions of pageviews for less than $10/ month
In this tutorial we’ll make a production-ready personal website site, that supports multiple collaborators, built using Hugo. Moreover, we’ll publish with the free-to-start Firebase Hosting CDN, and build automatically using Google Cloud Builder.
-
Writing Custom Metrics to Stackdriver in Golang
Instrumentation is a critical part of any application. Along with system counters like cpu, heap, free disk, etc– it’s important to create application-level metrics to make sure health is measured closer to your customer’s experience.
Example metrics could be user-registration, password-change, profile-change, etc. If you see a major spike or dip in these metrics, a wider problem could be indicated.
For this example a custom metric was needed, and no infrastructure was in place for harvesting it (e.g. collectd). Golang is handy for creating an easy-to-install daemon which performs the measurement and periodically harvests the data into stackdriver.
-
Using AWS IOT To Arm Blink Cameras
Blink security cameras are an affordable home security camera system. Although they lack a formal public API, inventive devs have reverse-engineered their private API to allow for better integration.
Here we’ll use AWS IOT Core, Lambda and node-blink-security to arm and disarm Blink security cameras using an AWS IOT Button.
Activating Your IOT Button
The IOT Button must be configured to your account, which includes joining it to your wifi access point, and installing the client certificates.
-
Get Started with Bitcoin Using Docker
Like me, you’re probably more comfortable on a CLI. Here’s a quick way to use docker to set up a Bitcoin Wallet and trade Bitcoin for free on Testnet with Electrum. You can use the same tools to manage your real Bitcoin wallet too.
Setup
Make sure you have Docker for your OS ( Mac, Windows, Linux)
Run the
electrum-clidocker imageElectrum is a python-based Docker wallet with a both a gui and good cli. I’ve put together electrum-cli, a lightweight Alpine-linux Docker image with Electrum signed and installed with jq.
-
Using Custom Docker Images on Bitbucket Build Pipeline
Usually setting up the build dependencies is a major part of each build job. Thankfully, Atlassian’s Bitbucket Pipelines, the new CI platform that integrates into Bitbucket, supports custom docker images.
To configure the build pipeline, you create
bitbucket-pipeline.yml. This one uses our custom image (built below) and triggers builds whenever areleases-*tag is pushed.image: tonymet/tonym.us:latest pipelines: tags: release-*: - step: script: - make sync_down_images - make s3_uploadThat first line is the magic part – you can run ANY public docker image from dockerhub (and private ones as well with further setup).
-
Creating TGZ artifacts from Docker Images to Enable Service Migrations
A common migration pattern when moving to docker includes running some systems (e.g. dev, staging or a prod canary) on your docker image while the production app is still running your traditional tgz artifacts (e.g. your node app with node_modules)
Let’s create a travis build that creates two artifacts: (1) your docker image and (2) a tgz from the docker container.
Let’s assume you have a basic dockerfile with your app.js and a package.json. The key is that the app is built into
/usr/src/app -
App Script for Modifying Google Groups
Google App Script is a little-known, yet powerful development platform for enhancing and automating google services. I use it for administration and building custom tools. Here are some things I’ve used it for
- a web app that scans emails for certain patterns and puts the results in email
- index email into a sql db to build charts & reports (e.g. 7d volume, top senders)
- automate account settings changes & cleanup
- bulk migration of email between accounts or from shared accounts to groups
- various google spreadsheet formulas
- various google docs macros like timestamps
Sadly, the platform is a bit tricky to set up–but only needs setting up once. Let’s intro the setup and a basic configuration
-
Free SSL Certificates using ACM (AWS Certificate Manager)
2016 may be the year of free SSL, and AWS ACM (AWS Certificate Manager) is a great offering for Cloudfront & ELB users (most web apps).
Not only is it free, but it’s also the simplest certificate management platform
- request a new certificate in minutes
- no server config needed
- no certificate , chain or private key management
- automatic certificate rotation
Here’s how to create a certificate and then install it onto your cloudfront distribution.
-
Creating a Varnish Load Balancer for Opsworks
Varnish is an amazing platform – it can easily help you handle 100x traffic and is easy to add to your existing frontend or API layer with little to no change to your app.
Here we’ll go over some neat tricks leveraging chef, the AWS Opsworks API and the opsworks
configurelifecycle event to create a lighting fast load balancer & reverse proxy that automatically updates itself.Setup
-
Create a new
varnishlayer that installs thevarnishandjqpackages -
Using the AWS EC2 Container Registry with EC2 Container Service
AWS announced recently that it’s EC2 Container Registry (ECR) is now available. ECR simplifies hosting private images. Previously, you had to manually push your docker.io credentials to each EC2 instance – likely a deliberate pain-point encouraging you to use ECR. With ECR, EC2 container hosts can easily fetch private images using IAM authentication.
Here are some of the gotchyas and stumbling blocks to help you get your repository up quickly and painlessly.
-
Securing Your Network Using Auto-Updating Security Groups
We all know that no ports should be open to the internet for development purposes, but for convenience it’s common to find a security group with port 22 (SSH) open to
0.0.0.0/0. Even narrower ingress rules can create backdoors.Here we’ll show you how to create an auto-updating security group that adds your active WAN IP address when you connect. This way, only your active IP is authorized.
Create the “development” security group with no ingress
aws ec2 create-security-group --group-name=development --group-description="ssh access for my dev machine"Create a limited role that can only update this security group
Since you may want to embed this script on your router or elsewhere, it’s important to generate a restricted access key that can only do one thing Create a user and add this policy
-
Delegating Admin Credentials using IAM Roles and Cloudwatch Alerts
It’s hard to strike the right balance with admin rights–either the rights are too strict and people can’t get work done or they’re too lenient and you have security issues.
As a compromise, AWS provides the
AssumeRolefeature which lets admins temporarily escalate their role to perform a task.It’s important when setting this up that you alert the team when it’s used. Here we’ll talk about how to set up the roles, give teams access to the roles and create an alert system when the roles are assumed.
-
Using AWS Lambda for Web Video Transcoding
Often your creative team will produce master videos in 4k or 1080p, but you need to downcode these videos into 720p/1080p for web broadcasting. Here we automate transcoding of masters into web-friendly formats like 720p h264 mp4 & webm.
AWS Elastic Transcoder is a cloud video transcoding service. At it’s simplest it transcodes video files from one bitrate, framerate, codec, container, etc–into another. By default you trigger new jobs either manually in the aws console or via the rest API. And naturally all inputs & outputs are saved in S3.
-
Wordpress Cron on Opsworks
By default Wordpress uses it’s own pseudo-cron which triggers with every request. Obviously this is wasteful since (a) the queue needs to be inspected with every GET and (b) jobs like publishing articles will interfere with serving content.
Some suggest calling the
wp-cron.phpGET request with curl in a cron like this* * * * * curl http://www.mysite.com/wp-cron.phpbut that’s sub-optimal since it needlessly ties up a worker during the cron execution.
-
HTTP Redirects with Cloudfront & S3
Redirects can account for a significant share of direct traffic so taking a few minutes to optimize them is worthwhile.
Using Cloudfront & S3 for redirects will improve responsiveness, reduce server load and improve management (since they are managed via
aws-clior the console).Let’s say you have a typical
.htaccessredirect like this.RewriteEngine On ### re-direct to www RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]Or worse, it could look like this in your
index.php -
Better Battery Statistics with Battery Historian
Continuing the relentless quest to keep my phone speedy, I stumbled upon a developer tool that is useful to anyone needing to troubleshoot a slow, short-living or overheating phone – Battery Historian
Battery Historian shows you a much more detailed and informative battery stats chart, highlighting the individual apps and sync services which are keeping your phone awake/busy in the background. It also shows network, wifi status, gps and more.
-
Debugging Android Performance & Battery Issues--Like a Developer
I have a frustrating relationship with my phone’s performance. I can cleanup my phone for a few days, but it tends to revert to being sluggish within no time. I’ve had dozens of devices and they all suffer from this.
There’s a lot of voodoo about Android Performance and Battery life–task managers, factory resets, etc.
Here’s a more developer-oriented process using adb .
Using ADB to identify process hogs
By connecting your device to the Android SDK, you can use ADB to identify process hogs. If you can, just remove the app. Otherwise, delete it’s data (see
pm clearbelow) -
Validating side-loaded APKs
I was desperate to try Hangouts 4.0 for Android, but suspicious of side-loading. I wanted to verify the APK signature cert had Google’s fingerprint of
38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88Here’s how to check the signatures on an APK, as usual, in shell functions (JDK needed)
apk-check () { jarsigner -verify -verbose -certs $1 } apk-print-cert () { keytool -list -printcert -jarfile $1 } # usage # make sure it's verified $ apk-check *apk|grep verified s = signature was verified jar verified. # show cert identifier $ apk-check *apk|grep X.509|head -n2 X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US $ apk-print-cert *apk|grep SHA1 SHA1: 38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88 -
Opsworks -- Quickly Listing Hosts on the Command Line
Here’s a great example of using the aws-cli to speed up your life. Uses jq and aws-cli
# bash / zsh function function opsworks-hosts-prod () { aws opsworks describe-instances --stack-id=fffff-fffff-ffff-fff-fffffff | jq '.Instances[].PublicDns' | grep -v null | sed s/\"//g } # usage $ opsworks-hosts-prod XXXXX.compute-1.amazonaws.com XXXXX.compute-1.amazonaws.com XXXXX.compute-1.amazonaws.com XXXXX.compute-1.amazonaws.com
-
Tony Metzidis
Software Developer