AWS CLI Basics – Part 3

Introduction

In previous posts on this topic, we learned how to install, configure and use AWS CLI. We also learned how to create a static S3 based website using AWS CLI. Today’s we’ll learn a few basics about IAM Users, Groups, and permission management.

Creating IAM Users is a very common task, however managing each individual user’s permission is a tedious task, that’s where a user group can simplify a lot.

In nutshell, we can create user group(s) and configure permissions for that group. Then we can add many users to the group and this way, all users in the group will have those permissions.

We can create many groups e.g. admins, devs, operators, managers, etc. Let’s start by first creating an IAM User using CLI.

Creating an IAM User

The following create-user command will create a user ‘dev3’:

aws iam create-user --user-name dev3

Here is the output of that command:

If later, you want to see that user information again, you can use the get-user command:

aws iam get-user --user-name dev3

And here is the output of command execution:

Create Access Key for User

After creating an IAM user, we need an access key to give them access, otherwise, the user won't be able to do any action. Let’s check the access-key for user dev3 by executing list-access-keys command as shown below:

aws iam list-access-keys --user-name dev3

And here is the output of this command execution:

As we can see that there is no information about access keys for this user (make sense, as we just created this user and nothing more is set up).

Ok, let's create an access key for this user using create-access-key command:

aws iam create-access-key --user-name dev3

And here is the output of this command:

Now if we use list-access-keys command again, it will show us the access key.

Now, you should make a note of this access key and transfer it to the corresponding user in some way.

With IAM User setup, let’s create a Group.

Create a Group and Configuring Permissions

Similar to the above command, the following is the syntax to create a Group (devs):

aws iam create-group --group-name devs

Next, to define, group permissions, we could create our own JSON formatted policy document and attach it to this group or we can use any pre-built Amazon policy which serves our purpose.

One such policy AmazonEC2FullAccess is suitable for purpose if you want to give group administrative permission to EC2 resources. We’ll need ARN of that policy for this purpose.

Here is one helper command which does some bash magic to filter AWS Policy for words AmazonEC2 and the Access:

aws iam list-policies | grep AmazonEC2 | grep Access

Here is the output of this command:

Note the ARN of this policy, we will use it in the next command when attaching this policy to the group.

Let’s attach this policy to the group by executing the following command:

aws iam attach-group-policy ` --policy-arn  arn:aws:iam::aws:policy/AmazonEC2FullAccess ` --group-name devs

The output of the command:

Now devs group has this policy attached.

Add User to Group

We have now a user dev3 and a group devs with permissions setup, now it's time to add this user to the group.

Here is the command which will add user dev3 to group devs:

aws iam add-user-to-group ` --group-name devs ` --user-name dev3

Now, if we want, we can check in AWS Web Consoles, that our group and user is set up properly:

IAM Group:

IAM User:

Summary

In this post, we learned how to create a user, group and attach an access policy to the group. We also learned how to create an access key for the user and how to add a user to a group. We did all these operations using AWS CLI.

Let me know If you have any questions or comments. Till next time, happy coding.