DEV Community

neetu-mallan
neetu-mallan

Posted on

AWS CLI: Creating IAM User & Role with PowerUserAccess

Having used the AWS Management Console for a while now, I wanted to switch over & use Developer Tools, to begin with AWS CLI quite extensively.

To start with I have created a new Free-Tier Account having a Root User.

To use AWS CLI, install it on your local machine steps using the : https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Step 1: Create access keys for Root User.

Though not a good practice, this step helped me to create the IAM user from scratch on the CLI. I have deleted the access keys once the IAM user was created & generated & assigned its own access keys.Download the csv file from the Management console & store it in a secure location on your computer.

Step 2: Setting up the CLI to use the access keys of the root user & create an IAM user
Execute the below commands:

  • Provide the access keys to setup the CLI to operate using root user credentials

aws configure

  • Create group named "Developers", an IAM user named "Neetu" & attach it to the group.

aws iam create-group --group-name Developers

aws iam create-user —user-name Neetu

aws iam add-user-to-group --user-name Neetu --group-name Developers

aws iam get-group --group-name Developers

  • generate access keys for the IAM user & store it in a file on your local system

aws iam create-access-key --user-name Neetu > access_keys_iamuser.txt

  • Attach a permissions policy to the IAM User to be able to Create a role & attach itself a role policy. Replace the resource name with the ARN of the IAM user.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::XYZ:role/*"
}
]
}

  • Delete the access keys of the root user

aws iam delete-access-key --access-key-id

Replace with the access key ID from the credentials csv you download

  • Re-run the aws configure command this time with the IAM users credentials

  • Create a role policy json file to allow the IAM user to assume a role

{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "PRINCIPAL_ARN"
},
"Action" : "sts:AssumeRole"
}
]
}

  • Store the ARN of the IAM user in an environment variable using the below command, this will correspond to the ARN of the IAM user

PRINCIPAL_ARN=$(Aws Sts get-caller-identity —query Arn —output text)

echo $PRINCIPAL_ARN to check if the variable is properly configured

  • Replace this ARN in the assume-role-policy-template.json & rename the file

sed ‘s|PRINCIPAL_ARN|${PRINCIPAL_ARN}|g’ assume-role-policy-template.json > assume-role-policy.json

  • Create a role with the trust relationship with the principal ARN as the user

ROLE_ARN=$(aws iam create-role --role-name PowerUserAccessRole --assume-role-policy-document file://assume-role-policy.json --output text --query Role.Arn)

This command creates a role by the name of "PowerUserAccessRole" which has the Sts:AssumeRole policy attached to it.

Note: Do not forget file:// even if you have provided the complete path of the assume-role-policy.json as the command then gives Malformed/Invalid JSON error which is not intuitive.
(Complete Error: when calling the CreateRole operation: This policy contains invalid Json)

  • Assume the role & get the temporary credentials using the command which is generated with an expiry time:

aws sts assume-role --role-arn $ROLE_ARN --role-session-name DeveloperAccess

{
"Credentials": {
"AccessKeyId": "",
"SecretAccessKey": "",
"SessionToken": "IQoJb3JpZ2luX2VjEA0aCXVzLWVhc3QtMSJGMEQCIAQEX4oH3oDqi7DZcdyjN8UdhxWfP7cOvMdYjztyQ9H7AiAl88n2FIIw0zQco+C/ncvHTskgacVgubhrBNupFD8SdCqbAgh1EAAaDDY1MjU2OTkwNTIwNiIMv6opwh02jCFt+WFgKvgBDaKG1CICFrAXUbrEYE2/STYd8BqNvJxnbw5nI8hImVZNWiJW7yhqbisU02r1G2TIh9bHnwjaYXw0PTyiFPNqYF81ZdkcelWR00qWUCpAgvY7v1lRsNLgxvokk9eJNpRqjqHlfEwd6MlUcuntFQ8v3UU9hVJRL9gzB3+v5Uaq8KiUJdzYVas76eSMzi7XWtbQv18ZavZOAPOUqigBIS8wuo1IXSaDHFO/AvhbaXvlGgBJdE++rxfptI822oigOxuokmEAXXVdImBeo7hI3xh2naPhhUnxjMDtnzoSa+jAipfLxclvIOrigT4SaRdp3o3YNxdBS3KQyCUw4YfZlwY6ngFKdr+QZt4qEEtWbbEsxs5Nj5zVu1/z9DeiTPbsiTT9yVFDO9X8/6Ln/IyNtq5E/DUKisLLj4KAWykxjRC/tdNv+ZjdklK6424MBEE6LXQPbxkfnoZjsKPI2/kUgp7L6mzMmQSvEGTpICeJHB3BVqrOtN0VGeiSO8YEnJtBUsEpzM0kiN+1ZzE0NSsufsjYmmBZ7Oypn4zUhTxLvnj06w==",
"Expiration": "2022-08-12T13:13:21+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAZP4BSRA3LG6JASGGG:DeveloperAccess",
"Arn": "arn:aws:sts::652569905206:assumed-role/PowerUserAccessRole/DeveloperAccess"
}
}

The above commands help us to create a IAM user & follow the principle of least privilege to assign a PowerUserAccessRole to the user. Temporary credentials are generated so that the IAM user can perform limited functions till the session token expires.

The inspiration for this article is the first recipe in the AWS Cookbook which I have improvised further to get a better understanding of using AWS CLI

Top comments (0)