02 Feb 2020 - tsp
Last update 09 Jul 2020
4 mins
First log into the AWS console with your newly created root user. If possible assign your root user an 2FA device like your YubiKey. This is a highly recommended step. Do so at your users login settings. After that create a new IAM admin user for administrative access. You should never use your root user for such access.
First search for the IAM application in the search box. Select User
and select the Add User
command. Enter the desired username (most
of the time this will be an E-Mail address or any other account wide unique
identifier - it doesn’t have to be globally unique since it’s used only
inside your application - and if used for logging into the console the
application ID is used in conjunction with the login information).
Select which access type you want to use. For access using the CLI tools or one of the integration SDKs, Jenkins Plugins, etc. select Programmatic access, for interactive access to the web interface select Access to management console. One can also select both methods if a user should be capable of both access methods. Of course one can create the keys required for programmatic access later on through the IAM console
If you want to use the user account yourself (as replacement for your root
account) you can define an own custom password. If it should be
used by a third party select automatically generated password. In this
case you should always select the option to enforce password change after
creation.
In the next step assign the user to given roles (user-groups). For admin access add the user to AdministratorAccess group. If you like you can add some tags to the user(s). This will be used for resource groups so it’s especially interesting for service users.
After that you can commit the user creation. In case of programmatic access the access key ID and secret is displayed - you have to store it now, it won’t be accessible later on. You should also take note of the user password and pass this, the login link (including the application ID) and the password to the desired user.
If you want to provide your administrators access to IAM you should
modify the Administrator group to include the IAMFullAccess
ruleset. This can be done in the dashboard at the group settings.
Select the desired group and select Append Ruleset
. Then search
for IAMFullAccess
to grant the group full access to IAM.
Log out of your account and if the account was created on your behalf log in with your new admin account. Change your password if prompted to and if possible enable 2FA using your YubiKey at your accounts login information.
On FreeBSD install the CLI tools either from ports or packages using either
sudo pkg install devel/awscli
or (as root user)
cd /usr/ports/devel/awscli
make install clean
After that you can configure AWS CLI tools with the previously generated credentials using
aws configure
Enter the AWS access key ID and AWS secret access key as generated for programmatic access during account creation. If you haven’t created one during the account creation (or the IAM account has been created on your behalf by a third party) log into your AWS console and search for the IAM application. Select your user, select the security/login information tab, scroll down to access key and create a new one.
After that configure your default region name. One should choose the region
that mostly fits one’s application (i.e. to which region one wants to
deploy most of the time). In our example we choose eu-central-1
since
this had the least hops into the network topological region our application
targeted.
At the end select json
as default output format:
$ aws configure
AWS Access Key ID [None]: ********************
AWS Secret Access Key [None]: ********************
Default region name [None]: eu-central-1
Default output format [None]: json
If you want to change any of the selected parameters simply re-run
the aws configure
command. Any fields that you don’t want to change
simply accept by pressing enter.
This article is tagged:
Dipl.-Ing. Thomas Spielauer, Wien (webcomplains389t48957@tspi.at)
This webpage is also available via TOR at http://coihcmhmb6cg6bvtelykwlte45yqhxkl6ffdoco5kc3a4qn3uno53oqd.onion/