Tag Archives: iam

Introduction to Amazon Web Services Identity and Access Management

Posted on by Carlos Sanchez
1

Using AWS Identity and Access Management you can create separate users and permissions to use any AWS service, for instance EC2, and avoid giving other people your Amazon username, password or private key.

You can set very granular permissions, on users, groups, specific resources, and a combination of them. It will become really complex soon! But there are several very common use cases, that IAM is useful for. For instance having a AWS account for a team of developers.

Getting started

You can go through the Getting Started Guide, but I’ll save you some time:

Download IAM command line tools

Store your AWS credentials in a file, ie. ~/account-key

AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
AWSSecretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY

Configure environment variables

export AWS_IAM_HOME=<path_to_cli>
export PATH=$AWS_IAM_HOME/bin:$PATH
export AWS_CREDENTIAL_FILE=~/account-key

Creating an admin group

When you have IAM setup, the next step is to create an Admins group where you can add yourself

iam-groupcreate -g Admins

Create a policy in a file, ie. MyPolicy.txt

{
   "Statement":[{
      "Effect":"Allow",
      "Action":"*",
      "Resource":"*"
      }
   ]
}

Upload the policy

iam-groupuploadpolicy -g Admins -p AdminsGroupPolicy -f MyPolicy.txt

Creating an admin user

Create an admin user with

iam-usercreate -u YOUR_NAME -g Admins -k -v

The response looks similar to this:

AKIAIOSFODNN7EXAMPLE
wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
arn:aws:iam::123456789012:user/YOUR_NAME
AIDACKCEVSQ6C2EXAMPLE

The first line is your Access Key ID; the second line is your Secret Access Key. You need to save these IDs.

Save your Access Key ID and your Secret Access Key to a file called for instance ~/YOUR_NAME_cred.txt. You can use those credentials from now on instead of the global AWS credentials for the whole account.

export AWS_CREDENTIAL_FILE=~/YOUR_NAME_cred.txt

Creating a dev group

Let’s create an example dev group where the users will have only read access to EC2 operations.

 iam-groupcreate -g dev

Now we need to set the group policy to allow all EC2 Describe* actions, which are the ones that allow users to see data, but not to change it. Create a file MyPolicy.txt with these contents

{
  "Statement": [
     {
       "Sid": "EC2AllowDescribe",
       "Action": [
         "ec2:Describe*"
       ],
       "Effect": "Allow",
       "Resource": "*"
     }
   ]
 }

Now upload the policy

iam-groupuploadpolicy -g dev -p devGroupPolicy -f MyPolicy.txt

Creating dev users

To create a new AWS user under the dev group

iam-usercreate -u username -g dev -k -v

Create a login profile for the user to log into the web console

iam-useraddloginprofile -u username -p password

The user can now access the AWS console at

https://your_AWS_Account_ID.signin.aws.amazon.com/console/ec2

Or you can make life easier by creating an alias

 iam-accountaliascreate -a maestrodev

and now the console is available at

https://maestrodev.signin.aws.amazon.com/console/ec2

About Policies

AWS policy files can be really complex. The AWS Policy Generator will help as a start point and see what actions can be used, but it won’t help you making them easier to read (using wildcards) or applying them to specific resources. Amazon could have provided a better generator tool allowing you to choose your own resources (users, groups, S3 buckets,…) from a easy to use interface and not having to lookup all sorts of crazy AWS identifiers. Hopefully they will be provide a comprehensive tool as part of the AWS Console.

There is more information available at the IAM User Guide.

Update

Just after I wrote this post Amazon has made IAM available in the AWS management console, which makes using IAM way easier.

Eclipse IAM WTP support, now EARs too

Posted on by Carlos Sanchez
Reply

I recently had some time to spend in Eclipse IAM, working on improving the WTP support.

Version 0.11.0 already had good support for WAR projects, including war overlays (which was a bit tricky to implement in Eclipse). Now the last builds of the coming 0.12.0 version have EAR support.

You can import your Maven EAR projects and Eclipse will recognize the Maven-generated application.xml and configure automatically the dependencies to the other WAR projects opened in the workspace, with no extra configuration from you. And from the usual WTP "Run in Server" wizard you can run the EAR project and all associated WAR files in your favorite application server.

You can install the development builds of 0.12 from http://q4e.googlecode.com/svn/trunk/updatesite-dev/ until it’s released, and check the installation instructions for requirements or if you have issues. For help and feedback, we have a newsgroup at Eclipse.

Eclipse IAM 0.11.0, Archiva 1.3, Continuum 1.3.5

Posted on by Carlos Sanchez
Reply

This is definitely release week! After Archiva 1.3 and Continuum 1.3.5 beta, I’ve just pushed the new release of Eclipse IAM 0.11.0:

This new version includes most notably

P2 Update site is published at http://q4e.googlecode.com/svn/trunk/updatesite-iam/

Ganymede users (Eclipse 3.4) should make sure they have added all the update sites listed in the installation instructions. If P2 complains about missing dependencies, check the update sites again.

Adopters of the latest and greatest Eclipse Galileo can install from the update site as usual.

If upgrading from Q4E 0.8.1 or earlier, some extra steps must be followed

The list of changes is available on the eclipse wiki.

Note that this is not an official Eclipse IAM release to allow our users to enjoy the progress made until we complete the move to the foundation and clear all the IP issues involving the maven embedder.