Using AWS Identity and Access Management you can create separate users and permissions to use any AWS service, for instance EC2, and avoid giving other people your Amazon username, password or private key.
You can set very granular permissions, on users, groups, specific resources, and a combination of them. It will become really complex soon! But there are several very common use cases, that IAM is useful for. For instance having a AWS account for a team of developers.
Getting started
You can go through the Getting Started Guide, but I’ll save you some time:
Download IAM command line tools
Store your AWS credentials in a file, ie. ~/account-key
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE AWSSecretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
Configure environment variables
export AWS_IAM_HOME=<path_to_cli> export PATH=$AWS_IAM_HOME/bin:$PATH export AWS_CREDENTIAL_FILE=~/account-key
Creating an admin group
When you have IAM setup, the next step is to create an Admins group where you can add yourself
iam-groupcreate -g Admins
Create a policy in a file, ie. MyPolicy.txt
{
"Statement":[{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
]
}
Upload the policy
iam-groupuploadpolicy -g Admins -p AdminsGroupPolicy -f MyPolicy.txt
Creating an admin user
Create an admin user with
iam-usercreate -u YOUR_NAME -g Admins -k -v
The response looks similar to this:
AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY arn:aws:iam::123456789012:user/YOUR_NAME AIDACKCEVSQ6C2EXAMPLE
The first line is your Access Key ID; the second line is your Secret Access Key. You need to save these IDs.
Save your Access Key ID and your Secret Access Key to a file called for instance ~/YOUR_NAME_cred.txt. You can use those credentials from now on instead of the global AWS credentials for the whole account.
export AWS_CREDENTIAL_FILE=~/YOUR_NAME_cred.txt
Creating a dev group
Let’s create an example dev group where the users will have only read access to EC2 operations.
iam-groupcreate -g dev
Now we need to set the group policy to allow all EC2 Describe* actions, which are the ones that allow users to see data, but not to change it. Create a file MyPolicy.txt with these contents
{
"Statement": [
{
"Sid": "EC2AllowDescribe",
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Now upload the policy
iam-groupuploadpolicy -g dev -p devGroupPolicy -f MyPolicy.txt
Creating dev users
To create a new AWS user under the dev group
iam-usercreate -u username -g dev -k -v
Create a login profile for the user to log into the web console
iam-useraddloginprofile -u username -p password
The user can now access the AWS console at
https://your_AWS_Account_ID.signin.aws.amazon.com/console/ec2
Or you can make life easier by creating an alias
iam-accountaliascreate -a maestrodev
and now the console is available at
https://maestrodev.signin.aws.amazon.com/console/ec2
About Policies
AWS policy files can be really complex. The AWS Policy Generator will help as a start point and see what actions can be used, but it won’t help you making them easier to read (using wildcards) or applying them to specific resources. Amazon could have provided a better generator tool allowing you to choose your own resources (users, groups, S3 buckets,…) from a easy to use interface and not having to lookup all sorts of crazy AWS identifiers. Hopefully they will be provide a comprehensive tool as part of the AWS Console.
There is more information available at the IAM User Guide.
Update
Just after I wrote this post Amazon has made IAM available in the AWS management console, which makes using IAM way easier.
Carlos Sanchez's Weblog 