Menu
AWS Cloud9
User Guide

Working with Shared Environments in AWS Cloud9

A shared environment is an AWS Cloud9 development environment that multiple IAM users have been invited to participate in.

A shared environment is good for:

  • Pair programming (also know as peer programming). This is where two users work together on the same code in a single environment. In pair programming, typically one user writes code while the other user observes the code being written. The observer gives immediate input and feedback to the code writer. These positions frequently switch during a project. Without a shared environment, teams of pair programmers typically sit in front of a single machine, and only one user at a time can write code. With a shared environment, both users can sit in front of their own machine and can write code at the same time, even if they are in different physical offices.

  • Computer science classes. This is useful when teachers or teaching assistants want to access a student's environment to review their homework or fix issues with their environment in real time. Students can also work together with their classmates on shared homework projects, writing code together in a single environment in real time. They can do this even though they might be in different locations using different computer operating systems and web browser types.

  • Any other situation where multiple users need to collaborate on the same code in real time.

This topic provides instructions for sharing an environment in AWS Cloud9 and how to participate in a shared environment.

About Environment Member Access Roles

Before you share an environment or participate in a shared environment in AWS Cloud9, you should understand the access permission levels for a shared environment. We call these permission levels environment member access roles.

A shared environment in AWS Cloud9 offers three environment member access roles: owner, read/write, and read-only.

  • An owner has full control over an environment. Each environment has one and only one owner, who is the environment creator. An owner can do the following:

    • Add, change, and remove members for the environment

    • Open, view, and edit files

    • Run code

    • Change environment settings

    • Chat with other members

    • Delete existing chat messages

    In the AWS Cloud9 IDE, an environment owner is displayed with Read+Write access.

  • A read/write member can do the following:

    • Open, view, and edit files

    • Run code

    • Change various environment settings from within the AWS Cloud9 IDE

    • Chat with other members

    • Delete existing chat messages

    In the AWS Cloud9 IDE, read/write members are displayed with Read+Write access.

  • A read-only member can do the following:

    • Open and view files

    • Chat with other members

    • Delete existing chat messages

    In the AWS Cloud9 IDE, read-only members are displayed with Read Only access.

Before an IAM user can become a environment owner or member, that user must meet one of the following criteria:

  • The user is an IAM administrator user in your AWS account. For more information, see Creating Your First IAM Admin User and Group in the IAM User Guide.

  • The user belongs to an IAM group in your AWS account, and that group has the AWS managed policy AWSCloud9Administrator or AWSCloud9User (or AWSCloud9EnvironmentMember, to be a member only) attached. For more information, see AWS Managed (Predefined) Policies.

To attach one of the preceding managed policies to a group, you can use the IAM console as follows.

  1. Sign in to the AWS Management Console, if you are not already signed in.

    For this step, we recommend you sign in using credentials for an IAM administrator user in your AWS account. If you cannot do this, check with your AWS account administrator.

  2. Open the IAM console. To do this, in the console's navigation bar, choose Services. Then choose IAM.

  3. Choose Groups.

  4. Choose the group's name.

  5. On the Permissions tab, for Managed Policies, choose Attach Policy.

  6. In the list of policy names, choose one of the following boxes:

    • AWSCloud9User (preferred) or AWSCloud9Administrator to enable each user in the group to be an environment owner

    • AWSCloud9EnvironmentMember to enable each user in the group to be a member only

    (If you don't see one of these policy names in the list, type the policy name in the Search box to display it.)

  7. Choose Attach policy.

Invite an IAM User in Your Account to Your Environment

Use the instructions in this section to share an AWS Cloud9 development environment in your AWS account with an IAM entity in the same account.

To share an environment in your account with an IAM user in another account, see Invite an IAM User in Another Account to Your Environment.

  1. Be sure the corresponding access policy is attached to the IAM group containing the user you want to invite. For more information, see About Environment Member Access Roles.

  2. Sign in to AWS Cloud9 using the credentials of the environment owner, if you are not already signed in. For more information, see Step 4: Sign in to the AWS Cloud9 Console in Team Setup.

  3. Open the environment that you own and want to invite the user to, if the environment is not already open. For more information, see Opening an Environment in AWS Cloud9.

  4. In the menu bar in the AWS Cloud9 IDE, do one of the following:

    • Choose Window, Share.

    • Choose Share (located next to the Preferences gear icon).

      
                        The Share command in the AWS Cloud9 IDE menu bar
  5. In the Share this environment dialog box, for Invite Members, type the name of the IAM user you want to invite to this environment. The invited user must be within the same AWS account as the environment owner.

    Note

    In addition to inviting IAM users, you can invite the AWS account root user, IAM users with assumed roles, and federated users, who are within the same AWS account as the environment owner.

    • To invite the AWS account root user, type arn:aws:iam::ACCOUNT_ID:root.

    • To invite an IAM user with an assumed role, type arn:aws:sts::ACCOUNT_ID:assumed-role/ROLE_NAME/ROLE_SESSION_NAME, where ROLE_NAME is the name of the assumed role, and ROLE_SESSION_NAME is the session name for the assumed role.

    • To invite a federated user, type arn:aws:sts::ACCOUNT_ID:federated-user/USER_NAME, where USER_NAME is the name of the federated user identified in IAM.

  6. To make this user a read-only member, choose R. To make this user read/write, choose RW.

  7. Choose Invite.

    Note

    If you make this user a read/write member, a dialog box is displayed, containing information about possibly putting your AWS security credentials at risk. The following information provides more background about this issue.

    You should share an environment only with those you trust.

    A read/write member may be able to use the AWS CLI, the aws-shell, or AWS SDK code in your environment to take actions in AWS on your behalf. Furthermore, if you store your permanent AWS access credentials within the environment, that member could potentially copy those credentials and use them outside of the environment.

    Removing your permanent AWS access credentials from your environment and using temporary AWS access credentials instead does not fully address this issue. It lessens the opportunity of the member to copy those temporary credentials and use them outside of the environment (as those temporary credentials will work only for a limited time). However, temporary credentials still enable a read/write member to take actions in AWS from the environment on your behalf.

  8. Contact the user to let them know they can open this environment and begin using it.

Note

The following entities can invite themselves to any environment in their AWS account:

  • The AWS account root user.

  • An IAM administrator user (or user belonging to an IAM administrator group) or equivalent in their AWS account.

  • An IAM user (or user belonging to an IAM group) in their AWS account that has the AWS managed policy AWSCloud9Administrator or equivalent attached.

To invite themselves (or other IAM users or federated users in their AWS account), these entities can use the AWS CLI or the aws-shell to run the AWS Cloud9 create-environment-membership command, specifying the ID of the environment (represented here as ENVIRONMENT_ID ) and the Amazon Resource Name (ARN) (represented here as ENTITY_ARN ) of the entity to invite. For example:

aws cloud9 create-environment-membership --environment-id ENVIRONMENT_ID --user-arn ENTITY_ARN --permissions PERMISSION_LEVEL

For example, to invite the AWS account root user for account ID 123456789012 to an environment with ID 0c00a6ff0e8244698d33fdab581ea3EX as a read/write member:

aws cloud9 create-environment-membership --environment-id 0c00a6ff0e8244698d33fdab581ea3EX --user-arn arn:aws:iam::123456789012:root --permissions read-write

Note

If you're using the aws-shell, omit the aws prefix from the preceding commands.

Invite an IAM User in Another Account to Your Environment

Use the instructions in this section to share an AWS Cloud9 development environment in your AWS account with an IAM user in a separate AWS account.

To share an environment in your account with other IAM entities within your same account, see Invite an IAM User in Your Account to Your Environment.

Prerequisites

Before you complete the steps in the section, be sure you have the following:

  • Two AWS accounts. One account contains the environment you want to share. To reduce confusion, we refer to this account as "your account" and as "account 111111111111" in this section's examples. A separate account contains the IAM user you want to share the environment with. To reduce confusion, we refer to this account as "the other account" and as "account 999999999999" in this section's examples.

  • An IAM group in the other account 999999999999, which we refer to as AWSCloud9CrossAccountGroup in this section's examples. (To use a different group in that account, substitute its name throughout this section's examples).

  • An IAM user named in the other account 999999999999, which we refer to as AWSCloud9CrossAccountUser in this section's examples. This user is a member of the AWSCloud9CrossAccountGroup group in the other account. (To use a different user in that account, substitute its name throughout this section's examples).

  • An environment in your account 111111111111 that you want to allow the user in the other account 999999999999 to access.

Step 1: Create an IAM Role in Your Account to Allow Access from the Other Account

In this step, you create an IAM role in your account 111111111111. This role allows users in the other account 999999999999 to access your account using the permissions you specify.

  1. Sign in to the AWS Management Console using your AWS account 111111111111.

    We recommend you sign in using credentials for an IAM administrator user in your AWS account. If you can't do this, check with your AWS account administrator.

  2. Open the IAM console. To do this, on the global navigation bar, choose Services, and then choose IAM.

  3. In the service navigation pane, choose Roles.

  4. On the Roles page, choose Create role.

  5. On the Select type of trusted entity page, choose the Another AWS account tile.

  6. In Specify accounts that can use this role, for Account ID, type the ID of the other AWS account: 999999999999. (Leave the Options boxes cleared.)

  7. Choose Next: Permissions.

  8. On the Attach permissions policies page, select the box next to the policy (or policies) that contain the permissions you want the other AWS account to have in your account. For this example, choose AWSCloud9EnvironmentMember. (If you can't find it, type AWSCloud9EnvironmentMember in the Search box to display it.) This particular policy allows users in the other account to become read-only or read/write members in shared environments in your account after you invite them.

  9. Choose Review.

  10. On the Review page, for Role name, type a name for the role. For this example, type AWSCloud9EnvironmentMemberCrossAccountRole. (To use a different name for the role, substitute it throughout this section's examples).

  11. Choose Create role.

  12. In the list of roles that is displayed, choose AWSCloud9EnvironmentMemberCrossAccountRole.

  13. On the Summary page, copy the value of Role ARN, for example, arn:aws:iam::111111111111:role/AWSCloud9EnvironmentMemberCrossAccountRole. You need this value for Step 3 in this section.

Step 2: Add the User in the Other Account as a Member of Your Environment

Now that you have an IAM role in your account 111111111111, and know the name of the user in other account 999999999999, you can add the user as a member of the environment.

  1. If you're not already signed in to the AWS Management Console as the owner of the environment in your account 111111111111, sign in now.

  2. Open the IDE for the environment. (If you're not sure how to do this, see Opening an Environment.)

  3. On the menu bar, choose Share.

  4. In the Share this environment dialog box, for Invite Members, type arn:aws:sts::111111111111:assumed-role/AWSCloud9EnvironmentMemberCrossAccountRole/AWSCloud9CrossAccountUser, where:

    • 111111111111 is the actual ID of your AWS account.

    • AWSCloud9EnvironmentMemberCrossAccountRole is the name of the IAM role in your account 111111111111, as specified earlier in Step 1 of this section.

    • AWSCloud9CrossAccountUser is the name of the user in the other account 999999999999.

  5. Choose Invite, and follow the onscreen instructions to complete the invitation process.

Step 3: Grant Access in the Other Account to Use the IAM Role in Your Account

In this step, you allow the user in the other account 999999999999 to use the IAM role you created in your account 111111111111.

  1. If you're still signed in to the AWS Management Console using your AWS account 111111111111, sign out now.

  2. Sign in to the AWS Management Console using the other AWS account 999999999999.

    We recommend you sign in using credentials for an IAM administrator user in the other account. If you can't do this, check with your AWS account administrator.

  3. Open the IAM console. To do this, on the global navigation bar, choose Services, and then choose IAM.

  4. In the service navigation pane, choose Groups.

  5. In the list of groups that is displayed, choose AWSCloud9CrossAccountGroup.

  6. On the Permissions tab, expand Inline Policies, and then choose the link at the end of "To create one, click here."

  7. On the Set Permissions page, choose Custom Policy, and then choose Select.

  8. On the Review Policy page, for Policy Name, type a name for the policy. For this example, we suggest typing AWSCloud9CrossAccountGroupPolicy. (You can use a different name for the policy).

  9. For Policy Document, type the following, substituting 111111111111 for the actual ID of your AWS account.

    { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111111111111:role/AWSCloud9EnvironmentMemberCrossAccountRole" } }
  10. Choose Apply Policy.

Step 4: Use the Other Account to Open the Shared Environment in Your Account

In this step, the user in the other account 999999999999 uses the IAM role in your account 111111111111 to open the shared environment that's also in your account.

  1. If you're not already signed in to the AWS Management Console as the IAM user named AWSCloud9CrossAccountUser in the other AWS account 999999999999, sign in now.

  2. On the global navigation bar, choose AWSCloud9CrossAccountUser, and then choose Switch Role.

  3. On the Switch role page, choose Switch Role.

  4. For Account, type your AWS account ID: 111111111111.

  5. For Role, type AWSCloud9EnvironmentMemberCrossAccountRole.

  6. For Display Name, type a name that helps you more easily identify this role for later use, or leave the suggested display name.

  7. Choose Switch Role. In the global navigation bar, AWSCloud9CrossAccountUser is replaced with the Display Name value and also changes its background color.

  8. On the global navigation bar, choose Services, and then choose Cloud9.

  9. On the global navigation bar, choose the AWS Region that contains the environment.

  10. In the service navigation pane, choose Shared with you.

  11. In the card for the environment that you want to open, choose Open IDE.

You can switch back to using the original user identity AWSCloud9CrossAccountUser. With the AWS Management Console still open for this step, on the global navigation bar choose the Display Name value from earlier in this step. Then choose Back to AWSCloud9CrossAccountUser.

To use the AWSCloud9EnvironmentMemberCrossAccountRole role again, with the AWS Management Console still open for this step, on the global navigation bar choose AWSCloud9CrossAccountUser. For Role History, choose the Display Name value from earlier in this step.

Open a Shared Environment

To open a shared environment, you use your AWS Cloud9 dashboard. You then use the AWS Cloud9 IDE to do things in a shared environment such as work with files and chat with other members.

  1. Be sure the corresponding access policy is attached to the group containing your user. For more information, see About Environment Member Access Roles.

  2. Sign in to AWS Cloud9, if you are not already signed in. For more information, see Step 4: Sign in to the AWS Cloud9 Console in Team Setup.

  3. Open the shared environment from your AWS Cloud9 dashboard. For more information, see Opening an Environment in AWS Cloud9.

You use the Collaborate window to interact with other members, as described in the rest of this topic.

Note

If the Collaborate window is not visible, choose the Collaborate button. If the Collaborate button is not visible, on the menu bar, choose Window, Collaborate.


            The Collaborate window in the AWS Cloud9 IDE

See a List of Environment Members

With the shared environment open, in the Collaborate window, expand Environment Members, if the list of members is not visible.

A circle next to each member indicates their online status, as follows:

  • Active members have a green circle

  • Offline members have a gray circle

  • Idle members have an orange circle


            Member online status in the AWS Cloud9 IDE

Open the Active File of an Environment Member

With the shared environment open, in the menu bar, choose the member name. Then choose Open Active File.


            The Open Active File command in the AWS Cloud9 IDE

Open the Open File of an Environment Member

  1. With the shared environment open, in the Collaborate window, expand Environment Members, if the list of members is not visible.

  2. Expand the name of the user whose open file you want to open in your environment.

  3. Double-click the name of the file you want to open.


            Opening a team member's file in the AWS Cloud9 IDE

Go to the Active Cursor of an Environment Member

  1. With the shared environment open, in the Collaborate window, expand Environment Members, if the list of members is not visible.

  2. Right-click the member name, and then choose Show Location.

Chat with Other Environment Members

With the shared environment open, at the bottom of the Collaborate window, for Enter your message here, type your chat message, and then press Enter.


            The chat area in the AWS Cloud9 IDE

View Chat Messages in a Shared Environment

With the shared environment open, in the Collaborate window, expand Group Chat, if the list of chat messages is not visible.

Delete a Chat Message from a Shared Environment

With the shared environment open, in the Collaborate window, right-click the chat message in Group Chat, and then choose Delete Message.

Note

When you delete a chat message, it is deleted from the environment for all members.

Delete All Chat Messages from a Shared Environment

With the shared environment open, in the Collaborate window, right-click anywhere in Group Chat, and then choose Clear history.

Note

When you delete all chat messages, they are deleted from the environment for all members.

Change the Access Role of an Environment Member

  1. Open the environment that you own and that contains the member whose access role you want to change, if the environment is not already open. For more information, see Opening an Environment in AWS Cloud9.

  2. In the Collaborate window, expand Environment Members, if the list of members is not visible.

  3. Do one of the following:

    • Next to the member name whose access role you want to change, choose R or RW to make this member owner or read/write, respectively.

    • To change a read/write member to read-only, right-click the member name, and then choose Revoke Write Access.

    • To change a read-only member to read/write, right-click the member name, and then choose Grant Read+Write Access.

      Note

      If you make this user a read/write member, a dialog box is displayed, containing information about possibly putting your AWS security credentials at risk. Do not make a user a read/write member unless you trust that user to take actions in AWS on your behalf. For more information, see the related note in Invite an IAM User in Your Account to Your Environment.

Remove Your User From a Shared Environment

Note

You cannot remove your user from a environment if you are the environment owner.

Removing your user from a member does not remove your user from IAM.

  1. With the shared environment open, in the Collaborate window, expand Enviroment Members, if the list of members is not visible.

  2. Do one of the following:

    • Next to You, choose the trash can icon.

    • Right-click You, and then choose Leave environment.

  3. When prompted, choose Leave.

Remove Another Environment Member

Note

To remove any member other than your user from an environment, you must be signed in to AWS Cloud9 using the credentials of the environment owner.

Removing a member does not remove the user from IAM.

  1. Open the environment that contains the member you want to remove, if the environment is not already open. For more information, see Opening an Environment in AWS Cloud9.

  2. In the Collaborate window, expand Environment Members, if the list of members is not visible.

  3. Do one of the following:

    • Next to the name of the member you want to delete, choose the trash can icon.

    • Right-click the name of the member you want to delete, and then choose Revoke Access.

  4. When prompted, choose Remove Member.

Environment Sharing Best Practices

We recommend the following practices when sharing environments.

  • Only invite read/write members you trust to your environments.

  • For EC2 environments, read/write members can use the environment owner's AWS access credentials, instead of their own credentials, to make calls from the environment to AWS services. To prevent this, the environment owner can disable AWS managed temporary credentials for the environment. However, this also prevents the environment owner from making calls. For more information, see AWS Managed Temporary Credentials.

  • Turn on AWS CloudTrail to track activity in your environments. For more information, see the AWS CloudTrail User Guide.

  • Do not use your AWS account root user to create and share environments. Use IAM users in the account instead. For more information, see First-Time Access Only: Your Root User Credentials and IAM Users in the IAM User Guide.