Using AWS Identity and Access Management you can create separate users and permissions to use any AWS service, for instance EC2, and avoid giving other people your Amazon username, password or private key.
You can set very granular permissions, on users, groups, specific resources, and a combination of them. It will become really complex soon! But there are several very common use cases, that IAM is useful for. For instance having a AWS account for a team of developers.
You can go through the Getting Started Guide, but I’ll save you some time:
Download IAM command line tools
Store your AWS credentials in a file, ie.
Configure environment variables
Creating an admin group
When you have IAM setup, the next step is to create an Admins group where you can add yourself
iam-groupcreate -g Admins
Create a policy in a file, ie.
Upload the policy
iam-groupuploadpolicy -g Admins -p AdminsGroupPolicy -f MyPolicy.txt
Creating an admin user
Create an admin user with
iam-usercreate -u YOUR_NAME -g Admins -k -v
The response looks similar to this:
The first line is your Access Key ID; the second line is your Secret Access Key. You need to save these IDs.
Save your Access Key ID and your Secret Access Key to a file called for instance
~/YOUR_NAME_cred.txt. You can use those credentials from now on instead of the global AWS credentials for the whole account.
Creating a dev group
Let’s create an example dev group where the users will have only read access to EC2 operations.
iam-groupcreate -g dev
Now we need to set the group policy to allow all EC2
Describe* actions, which are the ones that allow users to see data, but not to change it. Create a file MyPolicy.txt with these contents
Now upload the policy
iam-groupuploadpolicy -g dev -p devGroupPolicy -f MyPolicy.txt
Creating dev users
To create a new AWS user under the dev group
iam-usercreate -u username -g dev -k -v
Create a login profile for the user to log into the web console
iam-useraddloginprofile -u username -p password
The user can now access the AWS console at
Or you can make life easier by creating an alias
iam-accountaliascreate -a maestrodev
and now the console is available at
AWS policy files can be really complex. The AWS Policy Generator will help as a start point and see what actions can be used, but it won’t help you making them easier to read (using wildcards) or applying them to specific resources. Amazon could have provided a better generator tool allowing you to choose your own resources (users, groups, S3 buckets,…) from a easy to use interface and not having to lookup all sorts of crazy AWS identifiers. Hopefully they will be provide a comprehensive tool as part of the AWS Console.
There is more information available at the IAM User Guide.
Just after I wrote this post Amazon has made IAM available in the AWS management console, which makes using IAM way easier.