DEV Community

Shakir for AWS Community Builders

Posted on • Originally published at networkandcode.github.io

aws iam > setup user via cli

Hey all, πŸ‘‹ we shall see the following in this post: πŸ“œ

  • Create a group
  • Attach policies ✍️ to the group
  • Create user
  • Add the user to the group
  • Generate access key for the user

AWS CLI

Ensure you have installed the aws cli. Once installed, set up the credentials and configuration similar to the ones below.

Credentials.

$ cat ~/.aws/credentials 
[default]
aws_access_key_id=<aws_access_key_id>
aws_secret_access_key=<aws_secret_access_key>
Enter fullscreen mode Exit fullscreen mode

Configuration.

$ cat ~/.aws/config 
[default]
region = us-east-2
Enter fullscreen mode Exit fullscreen mode

Create group

Let's create a group with the name developers-group.

$ aws iam create-group --group-name developers-group
{
    "Group": {
        "Path": "/", 
        "CreateDate": "2021-12-05T09:40:24Z", 
        "GroupId": "<GroupId>", 
        "Arn": "arn:aws:iam::<AccountId>:group/developers-group", 
        "GroupName": "developers-group"
    }
}
Enter fullscreen mode Exit fullscreen mode

List polices

There are several built in policies in AWS, πŸ’ͺ that avoids the need of creating custom polcies in most cases, let's try to retrieve policies associated with EC2. Note that I have used jq for parsing JSON.

$ aws iam list-policies | jq '.Policies[] | select(.PolicyName | contains ("EC2")) | .Arn'                                                                              
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy"
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
"arn:aws:iam::aws:policy/aws-service-role/AWSEC2SpotFleetServiceRolePolicy"
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetAutoscaleRole"
"arn:aws:iam::aws:policy/CloudWatchActionsEC2Access"
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole"
"arn:aws:iam::aws:policy/aws-service-role/AWSAutoScalingPlansEC2AutoScalingPolicy"
"arn:aws:iam::aws:policy/aws-service-role/AWSEC2SpotServiceRolePolicy"
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole"
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
"arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForEC2ScheduledInstances"
"arn:aws:iam::aws:policy/aws-service-role/AWSEC2FleetServiceRolePolicy"
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
"arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingEC2SpotFleetRequestPolicy"
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
"arn:aws:iam::aws:policy/AWSElasticBeanstalkCustomPlatformforEC2Role"
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"
"arn:aws:iam::aws:policy/AmazonEC2RolePolicyForLaunchWizard"
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder"
"arn:aws:iam::aws:policy/aws-service-role/AWSEC2CapacityReservationFleetRolePolicy"
"arn:aws:iam::aws:policy/aws-service-role/EC2FleetTimeShiftableServiceRolePolicy"
"arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI_EC2"
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeployLimited"
"arn:aws:iam::aws:policy/AWSApplicationMigrationEC2Access"
"arn:aws:iam::aws:policy/EC2InstanceConnect"
Enter fullscreen mode Exit fullscreen mode

Now let's try to find policies related to S3.

$ aws iam list-policies | jq '.Policies[] | select(.PolicyName | contains ("S3")) | .Arn'
"arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
"arn:aws:iam::aws:policy/service-role/QuickSightAccessForS3StorageManagementAnalyticsReadOnly"
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
"arn:aws:iam::aws:policy/AmazonS3OutpostsFullAccess"
"arn:aws:iam::aws:policy/aws-service-role/S3StorageLensServiceRolePolicy"
"arn:aws:iam::aws:policy/aws-service-role/IVSRecordToS3"
"arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy"
"arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess"
Enter fullscreen mode Exit fullscreen mode

Attach policy

Attach a relevant EC2 policy to the group.

$ aws iam attach-group-policy --group-name developers-group --policy-arn "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
Enter fullscreen mode Exit fullscreen mode

Now let's add a second policy to the group, this time related to S3.

$ aws iam attach-group-policy --group-name developers-group --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
Enter fullscreen mode Exit fullscreen mode

So, the group now has read only access to EC2 and full access to S3.

Create user

Create a user with the name developer1.

$ aws iam create-user --user-name developer1
{
    "User": {
        "Path": "/",
        "UserName": "developer1",
        "UserId": "<UserId>",
        "Arn": "arn:aws:iam::<AccountId>:user/developer1",
        "CreateDate": "2021-12-05T10:02:02+00:00"
    }
}
Enter fullscreen mode Exit fullscreen mode

Add user

Add the developer1 user to developers-group, so that the user inherits the policies attached to the group.

$ aws iam add-user-to-group --group-name developers-group --user-name developer1 
Enter fullscreen mode Exit fullscreen mode

Nice they are asking for group name and user name here, πŸ™‚ unlike ARNs in cases where the names are not unique.

Access key

Generate access key for the user, and share it with the user, so that they can setup the credentials for AWS CLI, just like you did.

$ aws iam create-access-key --user-name developer1
{
    "AccessKey": {
        "UserName": "developer1",
        "AccessKeyId": "<AccessKeyId>",
        "Status": "Active",
        "SecretAccessKey": "<SecretAccessKey>",
        "CreateDate": "2021-12-05T10:14:20+00:00"
    }
}
Enter fullscreen mode Exit fullscreen mode

Verify

List the groups, the user belongs to.

$ aws iam list-groups-for-user --user-name developer1  
{
    "Groups": [
        {
            "Path": "/",
            "GroupName": "developers-group",
            "GroupId": "<GroupId>",
            "Arn": "arn:aws:iam::<AccountId>:group/developers-group",
            "CreateDate": "2021-12-05T09:40:24+00:00"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

List the polices, attached to the group.

{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonS3FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
        },
        {
            "PolicyName": "AmazonEC2ReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

This way you can create different groups as required, attach relevant policies to the group, and add appropriate users to each group. And finally don't forget to generate the access key for each user, and share it with them, with out which they will not be able to login via the AWS CLI. Thank you !!! πŸ‘

--end-of-post--

Discussion (0)