[{"authors":null,"categories":null,"content":"My name is John McCracken and I am a Cloud Engineer based on the west coast of Scotland.\nWith almost 20 years experience, I have a range of knowledge covering most aspects of tech. I’m mainly focused on AWS, but also have experience in Azure. I’ve reached this point in my career via various roles including training, database admin, web development, infrastructure management and security.\nWorked with some great people over the years, some of them seriously clever. Obviously none of that rubbed off on me.\nAway from a keyboard, I walk my dogs, grow vegetables and then eat them. A true rock n roll lifestyle!\n","date":1763164800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1763164800,"objectID":"4f8ede94661089a2bb01b50b2080c5b0","permalink":"/post/about/","publishdate":"2025-11-15T00:00:00Z","relpermalink":"/post/about/","section":"post","summary":"My name is John McCracken and I am a Cloud Engineer based on the west coast of Scotland.\nWith almost 20 years experience, I have a range of knowledge covering most aspects of tech. I’m mainly focused on AWS, but also have experience in Azure. I’ve reached this point in my career via various roles including training, database admin, web development, infrastructure management and security.\nWorked with some great people over the years, some of them seriously clever. Obviously none of that rubbed off on me.\n","tags":null,"title":"About","type":"post"},{"authors":["John McCracken"],"categories":null,"content":"This post is a quick description of the simple Continuous Integration\\Deployment used for this website.\nI’m under no false impressions that this is a great website, It suits my needs and is easy to maintain and best of all: its all free!\nIts a Hugo static website, which means it requires no web server. I’ve previously used S3/Cloudfront, but currently its on Netlify and Cloudflare providing SSL and CDN.\nThe Hugo site is stored on GitHub, a merge to the main branch triggers 2 GitHub Action workflows:\nWorkflow 1 This triggers a deployment to Netlify, which triggers a Hugo build and update of the live website.\nWorkflow 2 This triggers the build of a docker image of the site and uploads to Docker Hub. I use the docker image for messing about with in Kubernetes.\nA security scan is done on the image with any CVE’s reported.\nSummary This is all very simple, but any changes are deployed within 60 seconds. This is completely automated with rock solid stability.\n","date":1763164800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1763164800,"objectID":"36b629eba2ba09ef969748ddca197371","permalink":"/post/cicd/","publishdate":"2025-11-15T00:00:00Z","relpermalink":"/post/cicd/","section":"post","summary":"This post is a quick description of the simple Continuous Integration\\Deployment used for this website.\nI’m under no false impressions that this is a great website, It suits my needs and is easy to maintain and best of all: its all free!\n","tags":["website","cicd"],"title":"Static Website CI/CD setup","type":"post"},{"authors":["John McCracken"],"categories":null,"content":"Introduction IAM user access keys are the normal way to access AWS from an external source. Generally this is the method to use for machine/code access to your AWS estate.\nThis is ok, but come with some issues:\nLong lived credentials expand the window of opportunity for an attacker to exploit the access key. Rotating secrets can be hard to manage; synchronising credentials rotating with third parties can be complex. It just doesn’t scale, anything over a handful of access keys becomes hard to manage. The AWS preferred solution is to use AWS IAM Roles Anywhere for workloads outside of AWS.\nShort term rotating credentials Uses industry standard X.509 certificates Reduces management complexity Although a bit more complex to set up, AWS IAM Roles Anywhere is a much more elegant, scalable solution for workloads. It also ticks all current AWS security best practices.\nHow does IAM Roles Anywhere work? Workloads use SSL Certificates (end-entity certificate) which have been signed by a Certificate Authority (CA). The CA can either be external or provided by AWS. Create a Trust Anchor between IAM Roles Anywhere and the CA Create a Profile, which defines the IAM policy to apply after successful authentication Be aware that although IAM Roles Anywhere is free, if you use AWS Private CA there will be a cost, it’s around $400 per month! I believe you can cancel within the first 30 days free of charge.\nIn this demo, I’ll stick with a free external self generated one. Its a bit of a pain to generate, but hopefully this demo makes it as painless as possible.\nWhat this guide intends to do Generate an external CA Generate an end-entity certificate which is signed off against the CA. Setup a IAM Roles Anywhere Trust Anchor with the CA certificate Setup a IAM Roles Anywhere Profile and link a IAM Policy Setup a local machine to use aws_signing_helper in an AWS Profile. Demonstrate it works with AWS CLI and Python/boto3. Setting up IAM Roles Anywhere I’ve tried to script as much as possible, that way you can get it running as quickly as possible and it still offers the full details for those who want to dig deeper under the hood.\nI’ve created a repo for all this goodness: aws-iam-roles-anywhere-public-demo\nThis contains the following:\nShell script to generate CA and end certificates Terraform to deploy to AWS Python example script to test access All instructions are for Linux/MacOS. If you’re using Windows, you’ve got bigger problems than trying to follow this blog.\nGenerate a Certificate Authority and a End Entity Certificate On the CLI and clone the repo and go to the root directory. There is a bash script located here called create-ca.sh which can be used to automatically generate the required Certificates.\nThis uses a config file root-ca/root-ca.conf, you can use the default values or edit to suit your requirements.\nOpen the script create-ca.sh and have a look over what it’s actually doing, the comments hopefully help clarify.\nThe certificates values are stored in root-ca.conf and client-ca.conf.\nOnce you’re comfortable with the contents, run the script:\nsh ./create-ca.sh\nWhen prompted, select Y for any prompts.\nYou should now have the following created in the root-ca folder:\ncerts folder containing a CA .pem file db folder with CA version data private folder with a private key and certificate signing request file clients folder with end-entity certificate key/pem file This is all the files required to get started. Be aware this is all basic stuff and shouldn’t be used in a production environment.\nNote: this script copies the following files from the ./clients/ folder into your ~/.ssh folder:\n~/.ssh/iam-roles-anywhere-demo.key ~/.ssh/iam-roles-anywhere-demo.crt Please delete these manually afterwards.\n# Deploy the Infrastructure as Code Feel free to deploy by click-ops, it’s pretty self explanatory, but everything really should be IaC.\nMake sure you have authenticated to the AWS account you wish to use, by pasting Access keys into the CLI or however you normally do it.\nFrom the root directory, cd terraform then\nterraform init terraform apply\nPlan output should create the following:\naws_rolesanywhere_trust_anchor Create a Trust Anchor, this connects IAM Roles Anywhere to the certificate.\naws_iam_role This is the role used by IAM Anywhere, it has a condition that the certificate Common Name (CN) must be ‘IAM Anywhere Demo’.\naws_iam_role_policy_attachment Attach the managed policy AmazonS3ReadOnlyAccess to the role\naws_rolesanywhere_profile Create an IAM Roles Anywhere Profile called ‘iam-roles-anywhere-demo’. Note that the profile also is linked to the managed policy AmazonS3ReadOnlyAccess. The profile can set the maximum permission boundary.\nFor example, if I had attached AmazonS3FullAccess to the role, the Profile permissions would restrict S3 permissions to read only.\nCheck over the plan and if all looks good to you, type yes to deploy.\nIf all goes well, the resources should be deployed to your specified AWS Account.\nThe …","date":1755993600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1755993600,"objectID":"3c00f9399a831e61703b687ab27ad5ad","permalink":"/post/iam-roles-anywhere/","publishdate":"2025-08-24T00:00:00Z","relpermalink":"/post/iam-roles-anywhere/","section":"post","summary":"AWS IAM Roles Anywhere is the preferred solution over using user access keys for machine access to AWS resources. This demo goes over setting up and using IAM Roles Anywhere.","tags":["aws","security"],"title":"AWS IAM Roles Anywhere Demo","type":"post"},{"authors":["John McCracken"],"categories":null,"content":"It’s unusual that I ever think of a use case where my technical skills can help my everyday life. But it’s now seed planting time, I have a lack of sunny windowsills and it’s still too cold to risk putting my seedlings in the greenhouse at night.\nSo I decided to write a quick solution that would alert me if the minimum nightly temperature dropped below a certain level.\nAs always, this is done in AWS, mainly because I’m more comfortable there, and Azure is also honking!\nHere’s the simple design that will run each evening and trigger an email if the minimum temperature falls below the supplied criteria. This is all built using AWS free tier and will be deployed using Terraform.\nThe scheduler runs from February through to May at 8pm each night and sends an email if the minimum temperature falls below 12 degrees Celsius.\nFirstly, I signed up with https://www.weatherapi.com and use their excellent API service to request weather forecasts. One generated API key later, i was ready to go!\nI decided to write the Lambda function in Go, mainly because I’m new to the language and might as well improve my knowledge. I could have written this in Python in 20 mins, but where would the fun in that be. Some things took some time to get my head into to begin with, mainly the error handling and the clunky json conversions.\nBut I do like Go. it’s nice and clean, its performance is excellent and the invocation times are impressive. Not that invocation times were an issue with this project…\nAnyways its simplistic, but it works great and will help keep my chilli crop in good health.\n","date":1741651200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1741651200,"objectID":"adad60c575d3e3164492d74b4faa3832","permalink":"/post/weather_alerts/","publishdate":"2025-03-11T00:00:00Z","relpermalink":"/post/weather_alerts/","section":"post","summary":"It’s unusual that I ever think of a use case where my technical skills can help my everyday life. But it’s now seed planting time, I have a lack of sunny windowsills and it’s still too cold to risk putting my seedlings in the greenhouse at night.\nSo I decided to write a quick solution that would alert me if the minimum nightly temperature dropped below a certain level.\nAs always, this is done in AWS, mainly because I’m more comfortable there, and Azure is also honking!\n","tags":["aws","golang"],"title":"Weather Alerts Project","type":"post"},{"authors":["John McCracken"],"categories":null,"content":"i had to quickly fire up a website to find homes for our puppies. Using Hugo, Cloudflare and Netlify I had a site up and running within an hour, not bad indeed.\nDogs found homes pretty quickly among friends and family, so no actual need for the site.\nIt can live on as a tribute to my fur kids! Puppies for sale\n","date":1727654400,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1727654400,"objectID":"cce6e41f79784b1ecf3231eb6734d9eb","permalink":"/post/puppies/","publishdate":"2024-09-30T00:00:00Z","relpermalink":"/post/puppies/","section":"post","summary":"i had to quickly fire up a website to find homes for our puppies. Using Hugo, Cloudflare and Netlify I had a site up and running within an hour, not bad indeed.\nDogs found homes pretty quickly among friends and family, so no actual need for the site.\nIt can live on as a tribute to my fur kids! Puppies for sale\n","tags":["website"],"title":"Puppies website","type":"post"},{"authors":["John McCracken"],"categories":null,"content":"I have some blog posts on dev.to, but haven’t written anything in years.\nOne day I’ll write another post, but not today!\n","date":1723075200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1723075200,"objectID":"cf467bca9810baa3c149e8b088d15d53","permalink":"/post/one_day/","publishdate":"2024-08-08T00:00:00Z","relpermalink":"/post/one_day/","section":"post","summary":"I have some blog posts on dev.to, but haven’t written anything in years.\nOne day I’ll write another post, but not today!\n","tags":[],"title":"One Day...","type":"post"}]