DEV Community: Mayur Bhatti

Integrating Salesforce with AWS Using AWS IAM Roles Anywhere and Private CA

Mayur Bhatti — Mon, 19 Jan 2026 20:07:29 +0000

Here we will setup a secure integration between Salesforce and AWS using AWS IAM Roles Anywhere with a Private Certificate Authority (CA). By utilizing certificate-based authentication instead of access keys, AWS IAM Roles Anywhere enables on-premises servers or services to assume an IAM Role permission.

Step 1: Create a self-signed certificate in Salesforce:

In Salesforce, go to Setup and search for Certificate & Key Management.
Choose Create Self-Signed Certificate.
Enter a label and a unique name for the certificate, then click Save.
Download the generated certificate as “cert.pem” and store it securely.

Step 2: Set up a Private CA in AWS Private Certificate Authority:

Open the AWS Certificate Manager (ACM) Private CA console.
Choose Create CA, then Set Mode to “General-Purpose” & Choose CA Type as “Root”.

Fill out all required details, then select RSA 2048 for the key algorithm.

Acknowledge the settings and click Create CA.

Once created, select “Install CA certificate” under Actions to activate the CA.

Verify the CA status changes from “Pending Certificate” to “Active”.

Step 3: Issue and Retrieve an ACM Certificate Using AWS CLI

Open your terminal and ensure the AWS CLI is installed.
Sign a certificate using your Private Root CA by running:

aws acm-pca issue-certificate \ 
    --certificate-authority-arn "<PRIVATE_ROOT_CA_ARN>" \ 
    --csr fileb://crt.pem \ 
    --signing-algorithm "SHA256WITHRSA" \ 
    --validity Value=365,Type="DAYS" \ 
    --region "us-east-1"

Copy the “CertificateArn” from the output, then retrieve the signed certificate:

aws acm-pca get-certificate \ 
    --certificate-authority-arn "<PRIVATE_ROOT_CA_ARN>" \ 
    --certificate-arn "<CERTIFICATE_ARN>"

Save the certificate content in a .crt file, formatted with each line containing 64 characters.

NOTE: Create a file on editor and copy the certificate between “BEGIN CERTIFICATE” and “END CERTIFICATE”. Include these lines in the certificate and extension of .crt for the file.

While saving the file, make sure you delete the “\n” and press enter for a new line. Each row of the certificate has to be 64 characters long for it to be recognised as a certificate.

Step 4. Upload the Certificate to Salesforce

In Salesforce, upload the .crt file created in Step 3 to activate the certificate.

Step 5: Create a Trust Anchor in AWS IAM Roles Anywhere

Open the IAM Roles Anywhere in the AWS console and select Create Trust Anchor.

Provide a name, select the Private CA from Step 2, and click Create Trust Anchor.

Step 6: Create an IAM Role for Salesforce Permissions

In AWS IAM, create a new role with the following trust policy:

Trust Policy:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Principal": {  
"Service": "rolesanywhere.amazonaws.com"  
 }, 
            "Action": [ 
                "sts:AssumeRole", 
                "sts:TagSession", 
                "sts:SetSourceIdentity" 
            ] 
        } 
    ] 
}

Attach the AmazonConnect_FullAccess policy or another policy granting the necessary permissions.

Step 7: Create a Roles Anywhere Profile in AWS IAM

In IAM Roles Anywhere, select Create Profile.

Enter a profile name and attach the role created in Step 6 & Click Create Profile.

Step 8: Configure External Named Credentials in Salesforce

In this step, configure a named credential in Salesforce to use the IAM role that you created in Step 6.

The named credential is used for authenticating and managing API callouts to external services within Salesforce, to a specific endpoint URL. Initially, point it to AWS Security Token Service (AWS STS), a web service used to request temporary credentials. Then, you point it to the Amazon Connect service URL. Salesforce named credentials support two variants of the AWS Signature Version 4 authentication protocol: IAM User (identified by access key) and Roles Anywhere.

For best practices, uses IAM Roles Anywhere role, but we must first configure an external credential to provide the required authentication configuration via IAM Roles Anywhere.

In Salesforce, go to “Setup > Named Credentials > External Credentials” and click New.
Complete the following fields:
- Label: "AWS IAM Anywhere Credential".
- Name: "AWS_IAM_Anywhere_Credential".
- Authentication Protocol: "AWS Signature V4".
- Service: Initially "sts" (you'll change it to "connect" later).
- Region: "us-east-1".
- AWS Account ID: (Optional)
- Obtain Temporary IAM Credentials via STS: Choose "Roles Anywhere".
- Trust Anchor ARN and Profile ARN: Use the ARN values from earlier.
- Signing Certificate: A certificate from AWS (via a CA) that’s uploaded to Salesforce.
- STS Duration: 3600.
Create a “New Principal” for external credential:
- Name: e.g., "connect_principal". NOTE: Character requirements include [a-zA-Z0-9_+=,.@-]*.
- Enter the ARN of the IAM role created in Step 6 and save.
Create a “Named Credential” in Salesforce with these details:
- Label: "Connect API Connection".
- Name: "Connect_API_Connection".
- URL: "https://sts.us-east-1.amazonaws.com" (later changed to the Amazon Connect URL).
- Enable Generate Authorization Header.

Step 9: Validate the Integration with IAM Roles Anywhere

In Salesforce, Create or edit a permission set for the principal to
- configure permission sets for access:
- Go to Permission Sets > New and provide a label.
- Select External Credential Principal Access and move the principal to the enabled field.
- Assign the permission set to the relevant Salesforce user.
Test the integration:
- In Developer Console, open Execute Anonymous Window and run:

HttpRequest req = new HttpRequest(); 
//APN_API_Connection is the name of the named credential 
req.setEndpoint('callout:Connect_API_Connection/?Action=GetCallerIdentity&Version=2011-06-15'); 
req.setMethod('GET'); 
Http http = new Http(); 
HTTPResponse res = http.send(req); 
System.debug(res.getBody());

Open the log file to see the status. If successful, the log shows a 200 status code to indicate a successful Amazon STS API call from AWS.

Step 10: Update the Named Credential URL

In the Named Credentials configuration, update:
- Service: Change "sts" to "connect".
- URL: Use https://connect.us-east-1.amazonaws.com instead of the sts URL.
Test the integration:
- In Developer Console, open Execute Anonymous Window and run:

HttpRequest req = new HttpRequest(); 
//APN_API_Connection is the name of the named credential 
req.setEndpoint('callout:Connect_API_Connection/?Action=GetCallerIdentity&Version=2011-06-15'); 
req.setMethod('GET'); 
Http http = new Http(); 
HTTPResponse res = http.send(req); 
System.debug(res.getBody());

Open the log file to see the status. If successful, the log shows a 200 status code along with attribute then it indicate a successful Amazon connect API call from AWS.

Similar to Amazon Connect, you can configure it with any service.

Understand AWS IAM Identifiers

Mayur Bhatti — Thu, 15 Jan 2026 21:18:58 +0000

When working with AWS Security, one thing that often confuses beginners is IAM Identifiers.

You may have seen terms like ARN, UserID, RoleID, and FriendlyName.

Wonder why AWS need so many identifiers for the same thing?

Here we will break it down clearly so you can understand what each identifier is, why it exists and when you will use it.

What are AWS IAM Identifiers?

In AWS Identity and Access Management (IAM), every identity and resource must be uniquely identifiable, so AWS achieves this using different types of identifiers, each designed for a specific purpose:

In simple terms, consider:

Friendly Name = Display Name
ARN = Full Address
Unique ID = Government-issued ID number

Let's break each in detail:

1. Friendly Name

Friendly names are the names that we assign to IAM resources, such as

IAM User
IAM Role
IAM Group
IAM Policy

Example:

IAM user = “mayur”
IAM role = "ec2-s3-readonly-role”

Why Friendly name exists:

Easy for humans to read and remember
Used in the AWS Console
Used in CLI commands and scripts

Important

Must be unique within the same account

Friendly names are not globally unique, so two AWS accounts can have the same friendly name.

2. ARN

An ARN is similar to a fully qualified domain name, a globally unique identifier.

Example:

arn:aws:iam::123456789012:user/mayur

ARN structure:

arn:partition:service:region:account-id:resource

Why ARNs matter:

Used in IAM policies
Used by AWS services internally
Required for cross-account access

AWS trust ARNs, not the friendly names.

3. Unique ID

Every IAM resource also gets a unique ID assigned by AWS.

Example:

AIDAJQABLZS4A3QDU576Q

Why AWS uses this:

Friendly names can change
ARNs can change if the path changes
Unique IDs ensure consistency

You will not use these directly, but AWS relies on them internally, as they cannot be changed or reused even if resources are deleted.

4. Paths

Paths allow you to logically group IAM resources

Example:

/dev/admins/dev-admin

Paths:

don’t affect permission
Help with Organisation
Are included in the ARN

When paths are useful:

Large Enterprises
Multiple teams
Environment separation

How these Identifiers work together:

Each identifier serves a different audience:

Humans —> Friendly Names
Policies & Services —> ARNs
AWS Internal systems —> Unique IDs

Common Mistakes to Avoid:

Assuming friendly names are globally unique
Renaming IAM resources without checking the impact on other resources
Confusing role ARN with Instance profile ARN
Using wildcards carelessly in ARN policies

Once you understand why each identifier exists, IAM becomes easier and safer to manage.

Importing a Custom EC2 Key Pair in AWS: A Step-by-Step Guide

Mayur Bhatti — Thu, 15 Jan 2026 09:01:38 +0000

Managing secure access to your Amazon EC2 instances is critical, and one of the foundational steps is setting up an SSH key pair. AWS allows you to create and use your custom EC2 key pairs, providing flexibility for advanced security management. This guide outlines the steps to import a custom key pair into AWS.

Prerequisites

Before you begin, ensure you have the following:

Custom SSH Key Pair: Generate an SSH key pair using your preferred method or tool, such as OpenSSL, ssh-keygen, or a third-party tool.
- The private key will remain on your local machine for authentication.
- The public key will be imported into AWS.
AWS CLI or AWS Management Console: This guide covers both methods for importing the key pair.
IAM Permissions: Ensure your AWS user or role has the necessary permissions:
- ec2:ImportKeyPair
- ec2:DescribeKeyPairs

Step 1: Generate a Custom Key Pair (if not already created)

Using ssh-keygen
On a Linux, macOS, or Windows machine (with WSL or Git Bash):

ssh-keygen -t rsa -b 2048 -m PEM -C "your-email@example.com" -f my-custom-key

-t rsa: Specifies the RSA algorithm.
-b 2048: Sets the key size to 2048 bits.
-m PEM: Specifies format of the key.
-f my-custom-key: Saves the key with the name my-custom-key.
-C "your-email@example.com": Adds a comment to identify the key.

This command generates two files:

my-custom-key: The private key (keep it secure).
my-custom-key.pub: The public key for importing into AWS.

Step 2: Import the Key Pair in AWS

Using AWS Management Console:

Log in to AWS Management Console: Navigate to the EC2 Dashboard.
Access Key Pairs:
- On the left-hand menu, under Network & Security, click Key Pairs.
Import Key Pair:
- Click Import key pair.
- Provide a name for the key pair (e.g., my-custom-key).
- Copy the contents of the public key file (my-custom-key.pub) into the Public key contents field.
- Click Import key pair.

Using AWS CLI:

Install and Configure AWS CLI: If not already installed, download and configure the AWS CLI following the installation guide.
Run the Import Command: Use the following command to import your custom key pair:

aws ec2 import-key-pair \
    --key-name "my-custom-key" \
    --public-key-material fileb://my-custom-key.pub

--key-name: Specifies the name of the key pair in AWS.
--public-key-material: Uploads the public key file.

Verify the Key Pair: To confirm the key pair was imported successfully:

aws ec2 describe-key-pairs --key-name "my-custom-key"

Your custom key pair is now available for use with EC2 instances.

Key Considerations

Keep Private Keys Secure: Store private keys in a secure location and never share them.
Key Pair Limits: AWS accounts have a soft limit on the number of key pairs per region (default: 5,000). Contact AWS Support if you need more.
Backup: Regularly back up private keys in a secure location to avoid losing access to your EC2 instances.

Conclusion

Importing a custom EC2 key pair into AWS provides flexibility and control over SSH access to your instances. By following the steps outlined in this guide, you can ensure secure, seamless access while maintaining compliance with your organization's security policies.

For more details, refer to the official AWS Key Pair Documentation.

Setting up a Self-Hosted Runner on GitHub Actions

Mayur Bhatti — Mon, 18 Nov 2024 18:19:54 +0000

GitHub Actions is a powerful tool for automating workflows directly in GitHub. While GitHub-hosted runners are convenient, self-hosted runners offer much more flexibility by giving you full control over the hardware, operating system, and installed software. This guide will walk you through setting up a self-hosted runner on GitHub, giving you the ability to optimize your environment to meet specific project requirements.

Why Companies are Switching to GitHub/GitLab for CI/CD Pipelines

With the recent closure of AWS CodeCommit, many companies are transitioning to platforms like GitHub and GitLab for code storage and management. Solution architects are adapting CI/CD pipelines to align with this shift, leveraging GitHub and GitLab’s built-in CI/CD tools—GitHub Actions and GitLab CI/CD—rather than relying on standalone systems. This consolidation of code storage and CI/CD pipelines simplifies integration, enhances collaboration, and optimizes workflow visibility by keeping everything in one platform.

GitHub Actions has become especially popular, providing companies with a robust CI/CD tool that automates code testing, deployment, and integration. However, GitHub Actions has limitations, particularly for companies with large-scale or complex workflows.

Overcoming GitHub Actions Limitations with Self-Hosted Runners

While GitHub Actions is powerful, it has certain restrictions, especially when relying solely on GitHub-hosted runners. These runners have runtime and billing limitations that could lead to higher costs or performance impacts if workflows exceed the provided limits. For example, GitHub Actions offers free tier limits (especially for public repositories) but imposes runtime limits, data transfer restrictions, and concurrency caps on GitHub-hosted runners. For extensive workflows, upgrading to a paid GitHub plan may be necessary.

An alternative to relying solely on GitHub-hosted runners is self-hosted runners. Self-hosted runners provide several benefits, helping to overcome GitHub Actions’ limitations:

No Runtime Limits: Self-hosted runners do not have a predefined runtime cap, which makes them ideal for handling longer or more complex jobs.
Enhanced Resource Control: They allow you to choose hardware that meets the specific resource demands of your workflows, providing greater flexibility in CPU, memory, and storage.
Cost Efficiency: Instead of upgrading to higher GitHub subscription tiers to increase runner usage, self-hosted runners can operate on existing infrastructure, reducing the overall costs.
Flexibility in Software: With self-hosted runners, you can install and run custom software that may not be available in GitHub-hosted environments.

For companies looking to maximize GitHub Actions workflows without incurring high costs, self-hosted runners offer a flexible, efficient solution. You can read more about GitHub Actions’ billing limitations in the GitHub Actions Billing Documentation.

Levels of Self-Hosted Runners:

GitHub provides three levels of self-hosted runners for different scopes:

Repository-Level: Dedicated to a single repository.
Organization-Level: Available to multiple repositories within an organization.
Enterprise-Level: Can be assigned to repositories across various organizations within an enterprise.

Step-by-Step Guide to Setting Up a Self-Hosted Runner

Step 1: Create a New Self-Hosted Runner

To begin, navigate to the appropriate settings page depending on the level at which you want to set up the runner:

Repository-Level: Go to Repository Settings → Actions → Runners → New self-hosted runner.

Organization-Level: Go to Organization Settings → Actions → Runners → New runner.

GitHub will display a setup page to guide you through creating a new self-hosted runner.

Step 2: Choose Your Machine and Download the Runner

After Clicking on “New self-hosted runner”, This page will appear at both the Repository and Organization Level. On the setup page, select the machine type and architecture for your runner:

Machine: Choose from Linux, Windows, or macOS.
Architecture: Select your desired architecture, such as x64 or ARM.

After making your selections, GitHub provides a download script that you can use to install the runner application on your VM or server.

NOTE: In ./Config there is one token generated which only works for a few minutes, if you have waited for a long time then need to again create a runner (STEP1).

Step 3: Configure the Runner on Your Machine

Once the runner is downloaded, follow these steps to configure it:

Run the Configuration Script: Execute ./config.sh on your machine. During this step, you’ll generate a token from GitHub that’s required to authenticate the runner. Note that the token is only valid for a short period—if you wait too long, you’ll need to generate a new one.
Set Runner Options:
- Runner Group: Specify a group if needed (ensure the group exists before specifying it).
- Runner Name: Provide a custom name for your runner.
- Labels: Labels are used to identify the runner in your workflow YAML files. By default, labels include self-hosted, the OS type (e.g., Linux), and architecture (e.g., x64). You can add custom labels as needed.
- Working Directory: Specify the directory where the runner will download workflow files and operate.

Step 4: Start the Runner

To start the runner, use the following command: ./run.sh

This command starts the runner in interactive mode, allowing it to listen for and process incoming jobs. Make sure your workflow YAML files include labels that match the runner configuration so GitHub can correctly assign jobs to your self-hosted runner.

Step 5: Set Up the Runner as a Service

To set up the self-hosted runner as a service on Linux (using systemd), GitHub provides an svc.sh script, which makes it easy to install, start, check, stop, and uninstall the runner service.

Install the Service: Stop the runner if it’s currently running, then install it as a service by running:

sudo ./svc.sh install

To install it as a specific user, specify the username:

sudo ./svc.sh install USERNAME

Start the Service:

sudo ./svc.sh start

Check Service Status: To check if the runner service is active and listening, run:

sudo ./svc.sh status

Stop and Uninstall the Service:

If needed, stop the service with:

sudo ./svc.sh stop

To completely remove the service, run:

sudo ./svc.sh uninstall

Setting up the GitHub self-hosted runner as a service ensures it will automatically restart if the machine reboots, making it ideal for production environments.

Best Practices for Managing Self-Hosted Runners

Security: Self-hosted runners have access to your local network and systems, so ensure they’re secured and access is limited.
Regular Updates: Keep your runner application updated to avoid compatibility issues and gain the latest features and security patches.
Monitoring and Logging: Use monitoring tools and GitHub’s built-in logs to track runner activity, resource usage, and any issues that arise.
Scaling: For high-demand environments, consider adding multiple runners or using runners with autoscaling capabilities in cloud environments.

References and Further Reading:

For more detailed information, here are some helpful resources:

Setting up WireGuard VPN with WAG for Enhanced Security and MFA

Mayur Bhatti — Sat, 16 Nov 2024 19:37:40 +0000

In today’s security-conscious environment, having a VPN setup that integrates multi-factor authentication (MFA) is essential. WAG, a tool that adds 2FA and device enrollment capabilities to WireGuard, enables secure VPN access with MFA for specific routes. This guide walks you through setting up a WireGuard VPN with WAG on an Ubuntu server.

Introduction to WAG with WireGuard

WAG enhances WireGuard by providing 2FA on selected routes while allowing other routes to remain accessible as long as the client has a valid public key. With WAG, you can ensure only authenticated users can access sensitive network resources, securing your VPN further.

Reference: WAG GitHub Repository

Prerequisites

System Requirements: This guide assumes you are working on Ubuntu 20.04.
Necessary Tools: Make sure iptables is installed and IP forwarding is enabled. Wag must be run as root, to manage iptables and the wireguard device.

sysctl -w net.ipv4.ip_forward=1

Step 1: Install WAG

Create Directory: Install WAG in the /opt directory.

mkdir /opt/wag && cd /opt/wag

Download WAG:

curl -L $(curl -s https://api.github.com/repos/NHAS/wag/releases/latest | jq -M -r '.assets[0].browser_download_url') -o wag

Set Permissions:

chmod 700 wag

Step 2: Generate WAG Configurations

Generate the initial configuration file:

sudo ./wag gen-config

Rename the generated config file:

After providing valid information in the above command, it will generate one config file with the tag "config.json.*". Rename it to "config.json"

mv config.json.* config.json

Step 3: Modify WireGuard Port and Add ACLs in the Config File

Set Port and Add Private Key: Configure WireGuard to listen on a chosen port (e.g., 51820).

"Wireguard": {
    "DevName": "wg0",
    "ListenPort": 51820,
    "PrivateKey": "your_private_key_here",
    "Address": "10.1.2.1/24",
    "MTU": 1420,
    "PersistentKeepAlive": 25,
    "DNS": ["8.8.8.8"]
}

Define ACLs: Use ACL policies to enforce 2FA for specific networks while allowing general access to others. Here, a username "mayur" is allowed only for network "0.0.0.0/0, ::/0" but it must enter MFA for network "172.69.0.0/16 and following", mfa defines the network which will be accessible only if it is authorized.

Example ACL Configuration:

"Acls": {
    "Groups": {
        "group:admin": ["mayur"]
    },
    "Policies": {
        "group:admin": {
            "Mfa": [
               "172.69.0.0/16", "172.63.0.0/16"
            ],
            "Allow": [
               "0.0.0.0/0", "::/0"
            ]
        }
    }
}

After adding this, the config will look like this:

{
  "Proxied": false,
  "ExposePorts": null,
  "HelpMail": "<email address>",
  "Lockout": 5,
  "ExternalAddress": "<public ip>",
  "MaxSessionLifetimeMinutes": 1440,
  "SessionInactivityTimeoutMinutes ": 60,
  "ManagementUI": {
    "ListenAddress": "",
    "Enabled": false
  },
  "Webserver": {
    "Public": {
      "ListenAddress": ":8080"
    },
    "Tunnel": {
      "Port": "80"
    }
  },
  "Authenticators": {
    "Issuer": "Wireguard",
    "Methods": ["totp"],
    "DomainURL": "",
    "OIDC": {
      "IssuerURL": "",
      "ClientSecret": "",
      "ClientID": ""
    }
  },
  "Wireguard": {
    "DevName": "wg0",
    "ListenPort": 51820,
    "PrivateKey": "<private key>",
    "Address": "10.1.2.1/24",
    "MTU": 1420,
    "PersistentKeepAlive": 25,
    "DNS": ["8.8.8.8"]
  },
  "DatabaseLocation": "devices.db",
  "Acls": {
    "Groups": {
      "group:admin": ["mayur"]
    },
    "Policies": {
      "group:admin": {
        "Mfa": ["172.69.0.0/16", "172.63.0.0/16"],
        "Allow": ["0.0.0.0/0", "::/0"]
      }
    }
  }
}

Step 4: Start the WAG Service

Run WAG with the following command:

./wag start -config config.json

wag will create a database "devices.db" where it will store all users and their respective keys.

Step 5: Set Up WAG as a Service

Create a wag.service file for managing WAG via systemd:

sudo nano /etc/systemd/system/wag.service

Add the following service configuration:

[Unit]
Description=WireguardManager

[Service]
User=root

WorkingDirectory=/opt/wag
ExecStart=/opt/wag/wag start

# If any of the ExecStarttasks fail, then ExecStopPostwill run
ExecStopPost=/opt/wag/wag cleanup

Restart=on-failure
RestartSec=10
RestartPreventExitStatus=3

KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl enable wag
sudo systemctl start wag

Step 6: Register New Users with WAG

./wag registration -add -username your_username

This command generates a token for device enrollment.

Restart the WAG service:

Now copy the token that was generated from the adding username, Now restart the wag service

sudo systemctl restart wag

Step 7: Download User Configuration File

Users can retrieve their VPN configuration file using their generated token:

curl http://{public.server.address}:8080/register_device?key={token}

This will download the config that will later need to be used in the WireGuard Client.

Additional Feature:

Registration - Deals with creating, deleting and listing the registration tokens

Usage of registration:

"-add" : Create a new enrolment token
"-del" : Delete existing enrolment token
"-group value" : Manually set user group (can supply multiple -group, or use -groups for delimited group list, useful for OIDC)
"-groups string" : Set user groups manually, ',' delimited list of groups, useful for OIDC
"-list" : List tokens
"-overwrite string" : Add registration token for an existing user device, will overwrite wireguard public key (but not 2FA)
"-socket string" : Wag socket to act on (default "/tmp/wag.sock")
"-token string" : Manually set registration token (Optional)
"-username string" : User to add device

(Optional) Configure WAG Management UI

To enable the WAG UI, make the following changes in config.json:

"ManagementUI": {
    "ListenAddress": ":9000",
    "Enabled": true
}

Restart WAG to apply changes:

sudo systemctl restart wag

Set up an admin account for the web console:

sudo ./wag webadmin -add -username admin -password admin_password

Now, Just use http://{public_ip}:9000 and we will be able to access the WAG UI console where we will be able to manage the user and config.

Getting started with AWS DeepRacer!!

Mayur Bhatti — Wed, 13 Nov 2024 20:08:15 +0000

AWS DeepRacer is an integrated learning system for users of all levels to learn and explore reinforcement learning and to experiment and build autonomous driving applications. This blog will guide you to build your model on the new Deepracer Console. This can help you get ready for the Deepracer leagues at your nearest summits and also for Virtual circuits that take place throughout the year.

What is AWS DeepRacer?

AWS DeepRacer is a fully autonomous 1/18th scale race car driven by reinforcement learning. It lets you train your model on AWS DeepRacer Console. It also helps you to provide a Reward Function to your model that indicates to the agent (DeepRacer Car) whether the action performed resulted in a good, bad or neutral outcome.

The AWS DeepRacer console is a graphical user interface to interact with the AWS DeepRacer service. You can use the console to train a reinforcement learning model and to evaluate the model performance in the AWS DeepRacer simulator built upon AWS RoboMaker. In the console, you can also download a trained model for deployment to your AWS DeepRacer vehicle for autonomous driving in a physical environment.

Types Of Race League:

There are three main racing formats in the AWS DeepRacer League:

Head-to-Head Racing: In this mode, racers navigate the track while avoiding other AWS bot cars. The top racers qualify for a head-to-head elimination bracket at the end of each month.
Object Avoidance: In this format, participants must complete the track while dodging obstacles. The fastest time wins and advances toward the Championship Cup.
Time Trial: Here, racers aim to complete the track within a set number of laps while staying on track. The fastest racer in this category advances to the Championship Cup.

Understanding Reinforcement Learning:

In reinforcement learning (RL), an agent (in this case, the AWS DeepRacer car) interacts with an environment (the track) and learns by receiving rewards for taking certain actions that lead to desirable outcomes. The agent’s goal is to maximize these rewards by identifying the best actions over time.

Key Reinforcement Learning (RL) Terms:

Agent - The agent is represented by the AWS DeepRacer vehicle that needs to be trained. More specifically, it embodies the neural network that controls the vehicle, taking inputs, and deciding actions.
Environment - The environment contains a track that defines where the vehicle can drives. The agent explores the environment to collect data to train the underlying neural network.
State - The state represents a snapshot of the environment where the agent is in at a point in time. The front-facing camera captures this state on the vehicle.
Action - An action is a decision made by the agent in the current state. For AWS DeepRacer, an action corresponds to a vehicle move at a particular speed and steering angle.
Reward - The reward is the score given as feedback to the agent when it takes action in a given state. In training the AWS DeepRacer model, the reward is returned by a reward function. In general, you define or supply a reward function to specify what is desirable or undesirable action for the agent to take in a given state.
Episodes - An episode is a set of processes until the agent terminated.

Services Used & Architecture:

AWS DeepRacer leverages several AWS services:

AWS DeepRacer Console: Interface for training and evaluating models.
Amazon SageMaker: Manages and trains the RL models.
AWS RoboMaker: Simulates the virtual track environment.
Amazon S3: Stores the model data.
Amazon Kinesis: Streams data for live feedback.
Amazon CloudWatch: Monitors and logs activity.

Steps to Build Your AWS DeepRacer Model:

Let’s train and evaluate our virtual model! Here are the steps (note that you can follow along here by creating an AWS account):

Create a model in the AWS DeepRacer console.
Set the name, description, and track.
Set your action space (possible actions for the model to take).
Create your reward functions.
Set your hyperparameters.
Start training!

Evaluating the Model:

For an in-depth guide to model evaluation, Check this out

Building an Effective Reward Function:

The AWS DeepRacer reward function takes a dictionary object as the input.

def reward_function(params) :

    reward = ...

    return float(reward)

The params dictionary object contains the following key-value pairs:

{
    "all_wheels_on_track": Boolean,        # flag to indicate if the agent is on the track
    "x": float,                            # agent's x-coordinate in meters
    "y": float,                            # agent's y-coordinate in meters
    "closest_objects": [int, int],         # zero-based indices of the two closest objects to the agent's current position of (x, y).
    "closest_waypoints": [int, int],       # indices of the two nearest waypoints.
    "distance_from_center": float,         # distance in meters from the track center 
    "is_crashed": Boolean,                 # Boolean flag to indicate whether the agent has crashed.
    "is_left_of_center": Boolean,          # Flag to indicate if the agent is on the left side to the track center or not. 
    "is_offtrack": Boolean,                # Boolean flag to indicate whether the agent has gone off track.
    "is_reversed": Boolean,                # flag to indicate if the agent is driving clockwise (True) or counter clockwise (False).
    "heading": float,                      # agent's yaw in degrees
    "objects_distance": [float, ],         # list of the objects' distances in meters between 0 and track_length in relation to the starting line.
    "objects_heading": [float, ],          # list of the objects' headings in degrees between -180 and 180.
    "objects_left_of_center": [Boolean, ], # list of Boolean flags indicating whether elements' objects are left of the center (True) or not (False).
    "objects_location": [(float, float),], # list of object locations [(x,y), ...].
    "objects_speed": [float, ],            # list of the objects' speeds in meters per second.
    "progress": float,                     # percentage of track completed
    "speed": float,                        # agent's speed in meters per second (m/s)
    "steering_angle": float,               # agent's steering angle in degrees
    "steps": int,                          # number steps completed
    "track_length": float,                 # track length in meters.
    "track_width": float,                  # width of the track
    "waypoints": [(float, float), ]        # list of (x,y) as milestones along the track center
}

The reward function that worked for us is:

import math
def reward_function(params):

    track_width = params['track_width']
    distance_from_center = params['distance_from_center']
    steering = abs(params['steering_angle'])
    direction_stearing=params['steering_angle']
    speed = params['speed']
    steps = params['steps']
    progress = params['progress']
    all_wheels_on_track = params['all_wheels_on_track']
    ABS_STEERING_THRESHOLD = 15
    SPEED_TRESHOLD = 5
    TOTAL_NUM_STEPS = 85

    # Read input variables
    waypoints = params['waypoints']
    closest_waypoints = params['closest_waypoints']
    heading = params['heading']

    reward = 1.0

    if progress == 100:
        reward += 100

    # Calculate the direction of the center line based on the closest waypoints
    next_point = waypoints[closest_waypoints[1]]
    prev_point = waypoints[closest_waypoints[0]]

    # Calculate the direction in radius, arctan2(dy, dx), the result is (-pi, pi) in radians
    track_direction = math.atan2(next_point[1] - prev_point[1], next_point[0] - prev_point[0]) 

    # Convert to degree
    track_direction = math.degrees(track_direction)

    # Calculate the difference between the track direction and the heading direction of the car
    direction_diff = abs(track_direction - heading)

    # Penalize the reward if the difference is too large
    DIRECTION_THRESHOLD = 10.0

    malus=1

    if direction_diff > DIRECTION_THRESHOLD:
        malus=1-(direction_diff/50)
        if malus<0 or malus>1:
            malus = 0
        reward *= malus

    return reward

For more examples of reward functions, you can visit this link.

Pricing:

AWS DeepRacer provides a Free Tier, that covers the first 10 free hours to train or evaluate models and 5GB of free storage during your first month. After this, it cost around

Training or evaluation : $3.50 per hour
Model storage : $0.023 per GB-month

Key Takeaways:

You should be careful while choosing the training time of your model. If you train it too much it will overfit the track and won’t be able to perform with slight changes in the environment, whereas on the other hand if your train it less, the model won’t be strong enough to make correct decisions.
Your primary focus while building and training the model on the virtual environment should be on the accuracy and reliability of your model and not the speed or lap time of your DeepRacer. As in the Physical racing league, you will be able to accelerate your DeepRacer using their app on the phone.

WebLex - Using voice to control a website with Amazon Alexa

Mayur Bhatti — Tue, 12 Nov 2024 10:01:15 +0000

Introduction:

With advances in Information Technology, modern communication tools, like voice bots, have become integral to user interactions. A prominent example is Amazon Alexa — a smart voice assistant developed by Amazon that can perform a wide array of tasks. Alexa enables users to set alarms, create reminders, play music, answer questions, browse the internet, and control smart home devices with just a voice command. Beyond personal use, Alexa’s functionality can even be embedded into websites. Here’s where WEBLEX comes in.

Objective — WEBLEX aims to make website interactions more accessible and efficient by allowing users to control web content using Alexa voice commands. Users can seamlessly perform various tasks, such as navigating menus, displaying images, reading website content aloud, managing sign-in/sign-off, and scrolling—all with simple spoken prompts.

Scope — Voice-controlled website navigation can be incredibly beneficial across various scenarios. Imagine having the ability to navigate a recipe website hands-free while cooking or a doctor reviewing a patient’s medical images and test results through voice commands. These use cases demonstrate the potential of voice navigation to enhance user experiences in unique, hands-free environments.

Now Let’s first see in short how Amazon Alexa works??

A user can access content in a skill by invoking it with Alexa. Alexa is always up for acquiring new skills. When a user speaks to any Alexa-enabled device and uses the wake word, “Alexa,” the device sends the speech to the Alexa service in the cloud. Alexa analyzes the user’s voice, determines what they want, and then makes a request to the skill that can assist them. Speech recognition and natural language processing are handled by the Alexa service. Your skill is deployed as a cloud service. Through an HTTPS enabled request-response mechanism, Alexa communicates with the skill. Alexa skill receives a post request with JSON body whenever they are requested by the user.

Wake word: Alexa starts listening to your commands once you say the wake word.
Launch word: Invocation of the skill will likely follow a launch word, which triggers Alexa to initiate the skill invocation.
Invocation name: A user invokes a skill’s invocation name in order to interact with it. For example, to use the Daily Horoscope skill, the user could say, “Alexa, open my daily horoscope.”
Utterance: Utterances are spoken requests made by users. Invocation of a skill, inputs for a skill, and confirmation of Alexa’s actions are all possible through spoken requests. Consider the many ways your users could form their requests.
Prompt: When you talk to Alexa, you can send her a string of text that asks for information. Whenever you respond to a user, you include the prompt text.
Intent: A user’s spoken intent is fulfilled by an intent. Slots are optional arguments that can be attached to intents.
Slot Value: Slots are input values entered by the user during their spoken request. By providing these values, Alexa can determine the speaker’s intent.

Working of WebLex:

The flow of WebLex involves several steps that enable Alexa to control website content effectively:

The user speaks the wake word, "Alexa."
Alexa processes the wake word, listens to the user’s voice, and sends the command to the Alexa service.
Alexa uses its interaction model to route the request appropriately.
The backend, powered by an AWS Lambda function using Node.js, links the frontend with Alexa.
Alexa sends a JSON-formatted request to the Lambda function, which stores relevant data in a database.
The Lambda function evaluates the JSON request to determine a response, pulling data from the database as needed.
An API then retrieves the Lambda function’s output, allowing the website to access this information and display it for the user.

Future Enhancement:

Live Website Integration: Embedding WebLex functionality into a production-ready website.
Cloud Deployment: Hosting WebLex on a cloud platform for increased scalability and accessibility.

DEV Community: Mayur Bhatti

Integrating Salesforce with AWS Using AWS IAM Roles Anywhere and Private CA

Step 1: Create a self-signed certificate in Salesforce:

Step 2: Set up a Private CA in AWS Private Certificate Authority:

Step 3: Issue and Retrieve an ACM Certificate Using AWS CLI

Step 4. Upload the Certificate to Salesforce

Step 5: Create a Trust Anchor in AWS IAM Roles Anywhere

Step 6: Create an IAM Role for Salesforce Permissions

Step 7: Create a Roles Anywhere Profile in AWS IAM

Step 8: Configure External Named Credentials in Salesforce

Step 9: Validate the Integration with IAM Roles Anywhere

Understand AWS IAM Identifiers

What are AWS IAM Identifiers?

1. Friendly Name

2. ARN

3. Unique ID

4. Paths

How these Identifiers work together:

Common Mistakes to Avoid:

Importing a Custom EC2 Key Pair in AWS: A Step-by-Step Guide

Prerequisites

Step 1: Generate a Custom Key Pair (if not already created)

Step 2: Import the Key Pair in AWS

Using AWS Management Console:

Using AWS CLI:

Key Considerations

Conclusion

Setting up a Self-Hosted Runner on GitHub Actions

Why Companies are Switching to GitHub/GitLab for CI/CD Pipelines

Overcoming GitHub Actions Limitations with Self-Hosted Runners

Levels of Self-Hosted Runners:

Step-by-Step Guide to Setting Up a Self-Hosted Runner

Step 1: Create a New Self-Hosted Runner

Step 2: Choose Your Machine and Download the Runner

Step 3: Configure the Runner on Your Machine

Step 4: Start the Runner

Step 5: Set Up the Runner as a Service

Best Practices for Managing Self-Hosted Runners

References and Further Reading:

Setting up WireGuard VPN with WAG for Enhanced Security and MFA

Introduction to WAG with WireGuard

Prerequisites

Step 1: Install WAG

Step 2: Generate WAG Configurations

Step 3: Modify WireGuard Port and Add ACLs in the Config File

Step 4: Start the WAG Service

Step 5: Set Up WAG as a Service

Step 6: Register New Users with WAG

Step 7: Download User Configuration File

Additional Feature:

(Optional) Configure WAG Management UI

Getting started with AWS DeepRacer!!

What is AWS DeepRacer?

Understanding Reinforcement Learning:

Services Used & Architecture:

Steps to Build Your AWS DeepRacer Model:

Evaluating the Model:

Building an Effective Reward Function:

Pricing:

Key Takeaways:

WebLex - Using voice to control a website with Amazon Alexa

Introduction:

Now Let’s first see in short how Amazon Alexa works??

Working of WebLex:

Future Enhancement:

References: