level 09 / aws-for-testers

AWS for Test Engineers

Key AWS services for test infrastructure — EC2, S3, Lambda, ECS, and IAM basics.

AWS Services Test Engineers Use

ServiceWhat it doesTest use case
EC2Virtual machinesSelf-hosted CI runners, test VMs
S3Object storageStore test reports, screenshots, videos
LambdaServerless functionsTrigger test runs, process results
ECS / FargateContainer orchestrationRun Playwright in containers at scale
ECRContainer registryStore Playwright Docker images
Secrets ManagerSecrets storageAPI keys, DB passwords for tests
CloudWatchLogging / monitoringAggregate test run logs
IAMIdentity & accessPermissions for CI pipelines

S3 for Test Reports

# Upload Playwright HTML report to S3
aws s3 sync playwright-report/ s3://my-test-reports/run-${{ github.run_id }}/

# Generate pre-signed URL for sharing
aws s3 presign s3://my-test-reports/run-123/index.html --expires-in 604800
# Link valid for 7 days
# GitHub Actions step
- name: Upload report to S3
  if: always()
  run: |
    aws s3 sync playwright-report/ \
      s3://${{ vars.REPORT_BUCKET }}/runs/${{ github.run_id }}/
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    AWS_REGION: us-east-1

ECS Fargate for Serverless Test Execution

// ECS Task Definition (simplified)
{
  "family": "playwright-tests",
  "networkMode": "awsvpc",
  "requiresCompatibilities": ["FARGATE"],
  "cpu": "1024",
  "memory": "2048",
  "containerDefinitions": [{
    "name": "playwright",
    "image": "123456789.dkr.ecr.us-east-1.amazonaws.com/pw-tests:latest",
    "environment": [
      { "name": "BASE_URL", "value": "https://staging.example.com" },
      { "name": "CI", "value": "true" }
    ],
    "secrets": [{
      "name": "API_KEY",
      "valueFrom": "arn:aws:secretsmanager:us-east-1:123:secret:test/api-key"
    }],
    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "/ecs/playwright-tests",
        "awslogs-region": "us-east-1"
      }
    }
  }]
}

Secrets Manager for Test Credentials

// Fetch secrets at test runtime (Node.js)
import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';

const client = new SecretsManagerClient({ region: 'us-east-1' });

async function getTestCredentials() {
  const { SecretString } = await client.send(
    new GetSecretValueCommand({ SecretId: 'prod/playwright/credentials' })
  );
  return JSON.parse(SecretString!);
  // { apiKey: '...', dbPassword: '...' }
}

Prefer environment variables injected by CI over runtime secrets fetching — simpler and no AWS SDK dependency in tests.

IAM Principles for CI

// Minimal IAM policy for a CI role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-test-reports",
        "arn:aws:s3:::my-test-reports/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": ["ecr:GetAuthorizationToken", "ecr:BatchGetImage"],
      "Resource": "*"
    }
  ]
}

Principle of least privilege: CI role gets only S3 write + ECR pull. Not AdministratorAccess.

AWS CLI in Tests

# Configure for CI (use OIDC/role-based auth in production, not long-term keys)
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set region us-east-1

# Check connectivity
aws sts get-caller-identity