DEV Community

AnupamMahapatra
AnupamMahapatra

Posted on

AWS access through Users/Groups

When we open an account in AWS, we are the root user. While you can do do any things with that user, It is important to follow best practice and create groups and users for each type of access you might need.
In my case, I was spinning up an EKS cluster. I thought it gives me an opportunity to write a small blog on how to go about it.
We can create resource and query them through AWS API using AWS CLI. The CLI gives us a lot of power to do things through API. But the CLI needs to get access. These access can be classified into users and each account can thus have multiple users and access. Instead of directly giving access to the users, we put users into a group. These groups then get access using policies. Each group can have one or more users.

Each USER is created within a certain GROUP and each group is given access to resources dictated by POLICIES. This way, you can edit access to multiple users.

In my use case, I am creating an admin group for the entire aws account and an EKS admin group just for EKS service:

Both of these can be created using cloud formation through your root account:

The following create a admin account:

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Admin user and group for an account'

Parameters:
  UserName:
    Type: String
    Description: User name MUST be unique per account globally or it will create an ireversible error

  AWSAdminPassword:
    Type: String

Resources:
## Custom Group ###
  AWSAdminIAMGroup:
    Type: AWS::IAM::Group
    Properties: 
      GroupName: AWS-admins
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess

### Custom User ###
  AWSAminIAMUser:
    Type: AWS::IAM::User
    Properties: 
      LoginProfile:
        Password: !Ref AWSAdminPassword
      Groups: 
        - !Ref AWSAdminIAMGroup
      Path: /
      UserName: !Ref UserName
Enter fullscreen mode Exit fullscreen mode

This user is suppose to have access through console, hence i provided the username and password.

The second user is for programmatic access to EKS API:

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Setting up a group and a user for EKS admin'

Resources:

## Custom Group ###
  EKSAminIAMGroup:
    Type: AWS::IAM::Group
    Properties: 
      GroupName: EKS-admins
      Path: /


### Custom User ###
  EKSAminIAMUser:
    Type: AWS::IAM::User
    Properties: 
      Groups: 
        - !Ref EKSAminIAMGroup
      Path: /

### Custom Policy ###
  EKSAdminIAMpolicy:
    Type: AWS::IAM::Policy
    Properties: 
      Groups:
        - !Ref EKSAminIAMGroup
      PolicyDocument: 
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'eks:*'
                Resource: '*'
      PolicyName: EKSAdminIAMpolicy
Enter fullscreen mode Exit fullscreen mode
  • Create Cloudformation stacks with these files to create the resources.
  • These files creates a group , user and a policy to attach to them.
  • To access the user from a local terminal, we need to configure the keys to the user a an AWS profile
  • After the role is created, Go to : AWS > IAM > Users > [User] > Security Credentials
  • Create Access Keys
  • Copy the Access Key ID and Secret Access Key
  • Open in your terminal:
nano ~/.aws/configure

$credentials
[SOME-PROFILE-NAME]
aws_access_key_id=<COPIED FROM AWS>
aws_secret_access_key=<COPIED FROM AWS>
Enter fullscreen mode Exit fullscreen mode
  • After configuring both user accounts, my configure file looks as such

  • My configure file looks as such:

[p-admin]
aws_access_key_id=FAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKE
aws_secret_acess_key=FAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKE

[p-eks]
aws_access_key_id=FAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKE
aws_secret_access_key=FAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKE
Enter fullscreen mode Exit fullscreen mode
  • After the profile is configured, we can make aws cli command referencing the profiles:
aws eks list-clusters --profile [p-eks] --region [REGION-NAME]
Enter fullscreen mode Exit fullscreen mode

The AWS Admin profile can be used to login to the portal as such:

IAM > User > [User Name]> [Security Credentials] > Assigned MFA device > Virtual MFA device
Enter fullscreen mode Exit fullscreen mode

Discussion (0)