Everything needs permission to perform tasks in AWS. If you don't already understand IAM users and roles, you're missing an important part of AWS. In this article, you will learn, step-by-step, how to create an Identity and Access Management (IAM) user and an IAM role to control permissions.
IAM is an AWS service that allows you to interact with using for tasks like accessing the AWS Management Console, connecting with various tools and more. Sit back and learn how to get started with IAM and build a brand new IAM user and role.
This article is structured like a tutorial. You will get a hands-on look at how to create an IAM role and an IAM user for authentication to AWS cloud services. There is a boundless amount of different IAM roles and users that can be created. Some are pre-defined and others you can fully customize.
In this tutorial you will:
- Create an IAM user in the AWS console
- Assign programmatic access to the user
- Attach IAM existing policies to the user
- Create an IAM Lambda role in the AWS console
- Assign permissions to the IAM role
When creating a new IAM user in AWS, you can use two methods for access, console access and programmatic access. Console access gives users access to log into the AWS console by using the UI and programmatic access gives users access to work with the AWS SDK.
Enough talk, let's get started!
Creating an IAM User
Your first task will be to create an IAM user. An IAM user allows you to authenticate across many different AWS services. To create the IAM user, first navigate to IAM in the management console. You will see a welcome page with IAM Resources as shown in the screenshot below.
Click on Users on the left-hand side of the screen.
Once you are on the Add user page, click the Add User button. You will see a two options: User name which can be anything you'd like and Access type. Access type indicates how the IAM user will be used.
If you plan to connect to AWS via tool like the AWS CLI IAM, SDK or other, choose Programmatic access. If you're setting up a user to access the management console only, choose AWS Management Console access. For this demonstration, check the box next to Programmatic access.
Click on Next: Permissions to get started assigning permissions.
Assigning IAM User Permissions
Once you've defined the username, it's time to start assigning permissions to this user. Permissions give the IAM user the ability to interact with various AWS services through policies.
Before assigning permissions, always track down what permissions the user will need. Do not assign overly lax permissions!
For this article, no specific permissions are necessary. Let's find a few existing policies to attach to this IAM user. Click on Attach existing policies directly and search for an example policy called AWSLambdaFullAccess. This policy is used for an AWS Lambda function.
Once the permissions are attached to the user, click the Next: Tags button. Tags are a great way to organization resources in AWS. For this tutorial though, they aren't necessary
Completing IAM User Setup
At this point, the IAM user set up is complete. Click the Create user button as seen below to create the IAM user.
Now that the user is created, you'll be presented with two critical pieces of information - the Access Key ID and the Secret access key. You will need to provide these two items to the AWS CLI and other tools to successfully authenticate to AWS.
The secret access key is only displayed once. Be sure to copy and store it in a safe place like a password manager.
Once you've copied the access key ID and the secret access key, it's time to create the IAM role.
Creating an IAM Role
In the last section, you created an IAM user and assigned permissions directly to it. But what if you have a more complex setup that needs that set of permissions available to multiple users? One way to do that is with IAM roles.
IAM roles are essentially "groups" of permissions that various users can attach to inherit those permissions. In this section, you're going to create a role for the AWS Lambda service.
To get started, navigate to IAM and instead of clicking on Users, click on Roles this time. Once the page comes up, click on the Create role button as you can see below.
Assigning a Type of Role
The next step is to tell IAM what you're going to use this role for. For this tutorial, choose AWS service. Since the role to create will be used by Lambda, choose Lambda or whatever service you intend this role to access.
When you're done, click on the Next: Permissions button as shown below.
Attaching IAM Role Permission Policies
The next step is to assign a policy or policies to the role. For this example, we'd like the role to have full control over all EC2 instances in the account. Filter the policies by typing AmazonEC2Full in the Filter policies box and the policy should come up.
When the policy shows up, select the checkbox by the policy and click on Next: Tags to continue to the tags screen.
Since we don't need to assign any tags to this role, click the Next: Review button.
Completing IAM Role Setup
The final screen allows you to review all settings before actually creating the role. You will see five fields - Role name, Role description, Trusted entities, Policies and Permissions boundary.
- Role description - this is generated by default but you can change it to your liking
- Trusted entities - IAM users are associated with a specific person. IAM roles are different. An IAM role is instead a trusted entity which assumes a task to achieve. In this tutorial, that task is to create an EC2 instance.
Provide a Role name and click Create role as shown below.
You have now successfully created an IAM role!
In this blog post, you took a hands-on approach to create IAM users and roles. While working with IAM users and roles, you created permissions. You ensured while creating permissions that the IAM user and IAM role had permissions attached so they could access AWS resources. Once an IAM user and role is created, you can attach various policies. Using the AWS console you created the necessary IAM user, role, and attached the needed policies.
For your next challenge, create a custom IAM role that doesn't have a pre-made policy. This link should help get you started.
Subscribe to Adam the Automator
Get the latest posts delivered right to your inbox