level 09 / aws-for-testers
AWS for Test Engineers
Key AWS services for test infrastructure — EC2, S3, Lambda, ECS, and IAM basics.
AWS Services Test Engineers Use
| Service | What it does | Test use case |
|---|---|---|
| EC2 | Virtual machines | Self-hosted CI runners, test VMs |
| S3 | Object storage | Store test reports, screenshots, videos |
| Lambda | Serverless functions | Trigger test runs, process results |
| ECS / Fargate | Container orchestration | Run Playwright in containers at scale |
| ECR | Container registry | Store Playwright Docker images |
| Secrets Manager | Secrets storage | API keys, DB passwords for tests |
| CloudWatch | Logging / monitoring | Aggregate test run logs |
| IAM | Identity & access | Permissions for CI pipelines |
S3 for Test Reports
# Upload Playwright HTML report to S3
aws s3 sync playwright-report/ s3://my-test-reports/run-${{ github.run_id }}/
# Generate pre-signed URL for sharing
aws s3 presign s3://my-test-reports/run-123/index.html --expires-in 604800
# Link valid for 7 days
# GitHub Actions step
- name: Upload report to S3
if: always()
run: |
aws s3 sync playwright-report/ \
s3://${{ vars.REPORT_BUCKET }}/runs/${{ github.run_id }}/
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
ECS Fargate for Serverless Test Execution
// ECS Task Definition (simplified)
{
"family": "playwright-tests",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "1024",
"memory": "2048",
"containerDefinitions": [{
"name": "playwright",
"image": "123456789.dkr.ecr.us-east-1.amazonaws.com/pw-tests:latest",
"environment": [
{ "name": "BASE_URL", "value": "https://staging.example.com" },
{ "name": "CI", "value": "true" }
],
"secrets": [{
"name": "API_KEY",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123:secret:test/api-key"
}],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/playwright-tests",
"awslogs-region": "us-east-1"
}
}
}]
}
Secrets Manager for Test Credentials
// Fetch secrets at test runtime (Node.js)
import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManagerClient({ region: 'us-east-1' });
async function getTestCredentials() {
const { SecretString } = await client.send(
new GetSecretValueCommand({ SecretId: 'prod/playwright/credentials' })
);
return JSON.parse(SecretString!);
// { apiKey: '...', dbPassword: '...' }
}
Prefer environment variables injected by CI over runtime secrets fetching — simpler and no AWS SDK dependency in tests.
IAM Principles for CI
// Minimal IAM policy for a CI role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::my-test-reports",
"arn:aws:s3:::my-test-reports/*"
]
},
{
"Effect": "Allow",
"Action": ["ecr:GetAuthorizationToken", "ecr:BatchGetImage"],
"Resource": "*"
}
]
}
Principle of least privilege: CI role gets only S3 write + ECR pull. Not AdministratorAccess.
AWS CLI in Tests
# Configure for CI (use OIDC/role-based auth in production, not long-term keys)
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set region us-east-1
# Check connectivity
aws sts get-caller-identity