Category Archives: Tech Tips

Accessing CloudFormation Macros from other AWS Accounts

In this post you’ll learn (hopefully!) how to allow other AWS accounts to access CloudFormation macros in your account. AWS announced CloudFormation macros last year. Macros allow you to use a Lambda function to process CloudFormation templates.

I won’t be going over how macros work in detail in this post, but you can learn more about them here. I also assume you have installed the AWS CLI tools.

Let’s begin.


There are two steps to allow another account to access your macros:

  1. Grant permission to the other account to invoke the Lambda function that processes the CloudFormation template.
  2. Define the macro in the account that wants to use it.

In this scenario, we have our two protagonists Alice and Bob. (They usually work in cryptography but are currently on secondment in operations.)

Below are their respective account ids:

Account NameAccount Id

Grant Permission

Bob has written a macro that automatically sets up IPv6 for a VPC that Alice wants to use from her account.

Before Alice can start using Bob’s macro in her CloudFormation templates, Bob needs to give Alice permission to invoke the underlying Lambda function. Bob opens up a terminal and runs the following command, specifying Alice’s account id as the principal:

$ aws lambda add-permission --function-name EnableIPv6 --statement-id 987654321 --principal 987654321 --action lambda:InvokeFunction

This command adds the ‘lambda:InvokeFunction’ permission to the function policy of the Lambda function, which allows Alice to call it. (Note: you can’t modify the resource policy from the management console. You can only do so using either the CLI tools or an SDK.)

You can also grant permission to another account directly in your CloudFormation template. For example, to allow Alice to invoke his Lambda function Bob would add the following to his template:

    Type: AWS::Lambda::Permission
      Action: 'lambda:InvokeFunction'
      FunctionName: !GetAtt TransformFunction.Arn
      Principal: '987654321'

Create the Macro

Before she can use Bob’s macro, Alice must define a macro in her account, referencing the ARN of the Lambda function in Bob’s account like so:

    Type: AWS::CloudFormation::Macro
      Name: EnableIPv6
      Description: 'Enable IPv6 in a VPC'
      FunctionName: 'arn:aws:lambda:eu-west-2:123456789:function:EnableIPv6'

Alice then navigates to the CloudFormation section in the management console and creates a stack using the template above. Once the stack has been created, Alice will then be able to use the macro in her own templates.

And that’s it! The end.

Need some help with AWS? I’m a certified AWS engineer and Linux Foundation system administrator. Get in touch for a quote.

Tagged PDF

Alfresco uses Open Office to convert documents to PDF but by default it doesn’t generate tagged PDF. This note describes how to configure Alfresco so that it does produce tagged PDF.

So what is a tagged PDF? Well, it’s a PDF that contains structural information about the content, e.g reading order, the presence of tables etc. This allows screen-readers to read the PDF document – it makes the PDF accessible. In order to get the most out of the conversion process, as much structural information as possible needs to be present in the original document. I came across these recently when doing some work for a local authority that is using Alfresco.

So how do you configure Alfresco to produce tagged PDF? Open up the file ‘openoffice-document-formats.xml’, which is located in <tomcat_home>/webapps/alfresco/WEB-INF/classes/alfresco/mimetype/, locate the Portable Document Format document format section (it should be at the top of the file) and modify it so it looks like this:

<document-format><name>Portable Document Format</name>

Restart Alfresco. That’s it! The next time you convert a document to PDF it should be tagged. You can test that the conversion worked (on the Mac) by using Adobe Reader 8.0. Open up the PDF file. Go to Document -> Security -> Show Security Properties. Click on the ‘Description’ tag. The ‘Tagged PDF’ entry should be set to ‘Yes’ if the conversion worked correctly. You can also check the document for accessibility by clicking on Document -> Accessibility Quick Check.

You can download the modified configuration file here.

Converting to PDF with Alfresco

Brief note that explains how to set-up Alfreso to transform various document formats to PDF. I am writing this because I didn’t find it particularly easy to track down how to do it; it involves a lot of digging around in the wiki. Hopefully, this note will make it easier to set-up.

By default Alfresco will convert PDF, Word documents etc to plain text but if you want to go the other around, e.g. transform plain text to PDF, you need to start Open Office from the command line – a version of Open Office comes bundled with Alfresco. It’s easy really: just run the script, which you will find in the Alfresco home directory. Once you have done this you should be able to transform documents to PDF.

You can check that Open Office is running by executing the command lsof -i | grep 8100. If you start Open Office manually, note that Alfresco expects Open Office to be running on port 8100.

There’s a whole page on starting Open Office from the command line on the Alfresco wiki. Not sure why the page needs to be so long. I just ran the script and Open Office started up without any problems. Maybe I got lucky!

Emacs on Ubuntu

TRAMP is supposed to come installed with Emacs as default from version 21.4.x onwards – well, something like that. Having installed Emacs on Ubuntu using apt-get I couldn’t for the life of me figure why TRAMP wasn’t working! When I tried to open a remote file it kept trying to use FTP and always complained about something or other – I don’t remember exactly what it was complaining about.

Anyway, it turns out that TRAMP is not included with the version of Emacs that I had installed (sigh). To install it type “sudo apt-get install tramp” on the command line and restart Emacs. Viola!

To set the default connection mode to ssh, edit your .emacs file and add the following line:

(setq tramp-default-method “ssh”)

Wrist problems

For the last month or so I have been having real problems with pain in my wrists and forearms. I have had days where I have had to stop typing because it has just been too painful. I have had this problem before but usually it disappears after a few days. It’s strange because I use a Kinesis keyboard. They are supposed to prevent these kind of problems (although I am currently writing this on my laptop keyboard). I am even thinking about buying a vertical keyboard!

I guess it could be because I don’t take enough breaks away from the keyboard. However, yesterday I found an application for Mac OS X that reminds you every so often to take a break from typing. It’s called AntiRSI. It runs in the background and every so often up pops a window telling you to take a break. It gives you a great excuse to go and get a coffee!

David has more information on his site here. His article also includes a link to an application for Windows that works just like AntiRSI called Workrave.

Recording network traffic

I am writing this primarily as a reminder for myself but maybe it will be of use to you too if you ever need to see what data is being sent/received from your computer to a remote server; I keep writing the incantation down in my trusty notebook but for some reason I never seem to be able to find it again! I use tcpflow to look at what is being sent over the wire. For example, to look at the network traffic between your computer and ‘’, execute the following command as root:

tcpflow -c -i <interface> host

The -c flag means print to the console.

It’s a useful tool and it means that I don’t have to figure out how to use tcpdump! You can download tcpflow here.

How to log SQL queries (again)

Same task as before, different database. I have been doing some development over the last few days with Rails and MySQL. To cut a long story short I wanted to have a look at what queries were being sent to the database. This post describes one way of turning on logging for MySQL. I did all of this on Mac OS X so your mileage may vary.

  1. Create the log file
    > su
    > cd /var/log
    > touch mysqld.log
    > chown mysql mysqld.log
  2. Edit /etc/my.cnf
    log = /var/log/mysqld.log
  3. Restart the database

If you installed the MySQL Startup Item then you can restart the server simply by running:

sudo /Library/StartupItems/MySQLCOM/MySQLCOM restart

Job done!

Being news reader friendly

Andrew Grumet makes an interesting point about using CSS in blog posts. I often find myself make style declarations inline when I want to position images etc in my blog posts. I like his idea.

On a related theme, I often see broken images when viewing RSS feeds in news readers — once upon a time I had the very same problem in my feed. The reason: relative URLs.

For example, let’s take the image of myself. If you looked at the HTML for this particular image you would see something like this: <img src=”/images/me.jpg”/>. Works fine in a browser but try it in a news reader and … broken image. To view the image in a news reader the link should be: <img src=””/>; notice the inclusion of the (full) domain name. Perhaps that’s another idea for a WordPress plugin: for each blog post add the domain name to any relative URLs to avoid things like broken image links.

In summary: check how your feed looks in a news reader! Your readers will thank you or, at the very least, you won’t look like a dumbass.

Preventing email spoofing

What’s the best way of determining if an email address has been spoofed?

Here’s a solution I came up with: use the IP address of the originating server the mail came from and do a reverse DNS lookup to get the domain name. Compare the domain name from the lookup with the domain the email claims to have been sent from and if there is no corresponding A record discard the email. How reliable is this method? I have come across several references on the Internet that say that looking up the PTR record for a domain is not reliable because the PTR record(s) are often not well maintained or are even absent.

Another way using a similar approach but not relying on PTR entries, would be to look up the IP address of the domain the email claims to have come from and compare that with the IP address of the originating server. Have I missed something? Are there better ways of checking for spoofed emails?

Your comments are appreciated.

Full screen mode for Safari

Here’s a useful tip for making Safari take up the whole of the screen. I found it in a comment somebody had posted on this article about Saft, a plugin that adds a lot of funky features to Safari.

Add the following Javascript in the URL field at the top of the browser and then bookmark it:

javascript:self.moveTo(0,0); self.resizeTo(screen.availWidth, screen.availHeight);

Add the bookmark to the bookmark bar, click on it and voila …. Safari occupies the whole of the screen. Opera has a better full screen mode, it even covers the menu bar at the top of the screen, but until Apple add such a mode to Safari this will have to do.

Here is snapshot of my toolbar:

As I mentioned previously there is a plugin available called Saft that adds, among other things, a full screen mode to Safari. According to the authors of Saft it was used for check-in at Macworld San Francisco in 2005. Kind of makes you wonder why Apple doesn’t just clone the functionality, or buy Saft, and add it to Safari!