Thursday 12 October 2017

Create a user from IAM in AWS

Background

In this post we will see how we can create a new user using IAM in AWS. We will also see couple of things around IAM as well. But the goal is to create a new user and see how we can use it to connect to AWS from command line.


IAM is Identity access management. IAM is service used to create and manage access to AWS. This includes user and group management. 

IAM - Identity access management

Once you land on IAM dashboard you should be able to see a summary of what you have already in place - users, groups , roles etc.

NOTE :  IAM is global. There is no region associated to it. You can notice this in top right corner where you see region selected for various AWS services.



Now go to Users tab. Now click on Add users. Next select the username and then select the access type -

Programmatic access : Enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.
AWS Management Console access : Enables a password that allows users to sign-in to the AWS Management Console. 

You can select both as well. Console access is associated with an username and password where as programmatic access corresponds to access key id and secret access key. 

NOTE : you cannot use accesskey id and secret access key to log into console and you cannot use username and password to programmatically access AWS. Also  by default user created will have no permissions.

For now let's create a user with just programmatic access. I am using username as aniket which is my name.




Next step is to add permissions. This essentially tells what is the intent of this user. You can 
  1. Either assign user to a group (which has set of permissions)
  2. Copy permissions from existing user
  3. or assign one of the predefined permissions
I am going to take 3rd route. What I really want to do is allow this user with administrator privileges but not allow to change IAM setting - Power user is exactly what we need. So go ahead and select that -

 

Finally review and create your user. You should now see your access key and secret key. Note it down somewhere. You can also download it as CSV - there is an option to do so on top left corner.




NOTE : These credentials are shown only once on creation. So you can download and store the csv in secure location. If you loose then you will have to regenerate these.

 
That's it now lets see how we can use this to access AWS. If it was console access you could directly go to AWS console , use username password from csv and log in. Since this is programmatic we need to use AWS CLI (command line interface.)

As you can see in above link AWS cli is program you need to download and configure it on your local machine. I am going to use my EC2 instance running Amazon Linuz AMI. It has AWS Cli integrated.

Try running

  • aws s3 ls
This is suppose to list all your buckets. However this does not work and gives "Unable to locate credentials error". That means you need to configure your AWS cli to tell it your access key and secret key.

So type

  • aws  configure
You need to provide access key, secret key as we had downloaded it from IAM console in the csv file.



NOTE : Please don't use above creds. I have already deleted those. You can generate creds specific to your user and use it there.

These creds are stored in path ~/.aws/credentials file.


You can view all the AWS region names here -

Since I am based out of Mumbai, India I am going to use - "ap-south-1". As you can see athakur is a bucket created in my S3.

NOTE :  Though this is an option it is not recommended. what if you have this across 10 EC2 instances and one of it is compromised. You will generate new creds and apply to all? Definitely not a good way. You need to use IAM roles for this. You need to create a role for EC2 that provides access only to S3.

 NOTE : IAM can integrate with AD to add SSO functionality.

Related Links

Hosting a static website on Amazon AWS using EC2

Background

This post assumes you are familiar with Amazon AWS services, specially EC2 which we are going to use today to see how we can deploy a static website in a minute. If not kindly refer to my earlier posts in the same -


 Hosting a static website on Amazon AWS using EC2

Go ahead and launch Amazon Linux AMI on EC2. Keep all the configurations default except the security group. We are not really interested in others. In security group you need to allow ports corresponding to, ssh (22), http (80) and https(443) protocols. We are going to use http protocol for this demo. It looks like following for me -




 NOTE :  We need to SSH into your EC2 instance to host our static website. So we need that port open.

Once you have SSHed into your machine. If you don't know how to do this please refer my earlier post (linked in background and related links section). Once done follow below steps -
  1. sudo su 
  2.  yum update
  3. yum install httpd
  4. service httpd status
  5. service httpd start
  6. chkconfig httpd on
 Understanding above commands -
  1.  sudo su will elevate your role to super user. You really don't need this. But I generally do it since I like root user :)
  2. Do a update just to ensure you have the latest patches installed so that you are covered from a security standpoint.
  3. Next install httpd. This is a http daemon used to hist your static website. This essentially listens on port 80 (http) and serves request back. More details on Wiki.
  4. Next we check whether httpd daemon is up and running. service is the command used for that. 1st run should say that this service is stopped.
  5. Now you can start up this service with same command but using start. Again you can rerun above command just to make sure your service is up and running.
  6. chkconfig checks whether service is configured for startup. This commands guarantees httpd service starts on system startup.




 Now that we have out httpd service up and running, you can simply hit your public DNS and see what you can view. It should ideally show your default apache page like follows -




 You can get the public DNS from your EC2 dashboard -





 Now lets try to show our custom webpage. For this go to -
  • /var/www/html
Here create a file called index.html and paste your html content there and save it.




 That's it. Refresh your page and see if you can view your html changes.


 Let me know if there are any questions. Thanks.


If you want to see how a static website directly from S3 you can view following video -





Related Links




t> UA-39527780-1 back to top