Substrate Newsletter Vol 1

Welcome to the first Substrate newsletter, where we highlight some of the best new capabilities added in the past few months and provide a preview of what’s coming next. To take advantage of all the new features, we recommend upgrading Substrate to the latest version and then doing so one monthly release at a time.

See our upgrade instructions for details. And please do ask us for help if you run into any trouble. We also recommend reading through the release notes for each release after your current version to see if there is any special care required. (More on how we’ve made this easier in a bit.)

Easier IAM role creation

IAM roles can now be now be created with the substrate create-role command. As you grow, it becomes less appropriate to assign everyone the Administrator role. With these new tools, teams or even individuals can be given tailored access to AWS accounts by domain and/or environment with only the privileges they need.

For example, if you already have a domain called app and you want to separate out any payments processing-related services into a payments domain, you can create the new domain with:

substrate create-account -domain payments -environment production -auto-approve

Then create a role for the Payments engineering team, so only they can access the payments domain in the production environment:

substrate create-role -role payments -domain payments -environment production -humans -administrator-access -role Payments

After, assign that role to the team in your IdP and you’re ready to go!

substrate create-role in action, creating a Payments role in the payments domain.

12 Hour AWS Console sessions

On the Substrate intranet’s Accounts page, you’ll now find 12-hour AWS console sessions available. This means if you use the Substrate intranet to access the AWS console for any of your Substrate-managed accounts, you can stay logged in for 12 hours. We think this is a huge quality of life improvement from the default 1-hour console session.

Simplified Setup and Upgrades

We keep to a monthly Substrate release schedule, but we know it can be hard for customers to keep up to date, especially if it involves ensuring a clean ‘terraform apply’ across all your service accounts. In August, the Substrate setup and upgrade process was greatly simplified for the end user. We consolidated the various substrate bootstrap-* commands into a simple substrate setup that handles any initial install and future upgrades.

From here on out, upgrades will rarely require running

sh <(substrate accounts -auto-approve -format shell)

because substrate setup now manages the required roles for accounts and the Intranet. We do recommend reading the release notes before any upgrade in case there any special handling is required, but we’ll try to avoid it in most cases.

What We’re Working On Next

We’re making substantial upgrades to the Substrate intranet. It’s now powered by the AWS API Gateway v2, which will make it much more straightforward for you to wrap and proxy arbitrary service services while transparently and comprehensively authenticating and authorizing traffic using your identity provider. This means you can use the Substrate intranet to add an authentication and authorization layer to any of your internal tools and services.

 The preview is available with Substrate 2023.10. See the release notes for more information about how to try it out. We’ll have more details and documentation when this is out of preview.

Thanks for reading!

Travis Cole and Richard Crowley