IAM CLI – Users and Roles (40, 41)

  Amazon Web Services (AWS)

Create a User with AdministratorAccess
Create a Role with AdministratorAccess

Creating a User with AdministratorAccess

This method is not recommended because it poses a security risk! Recommended to use Roles instead.

 

  • The CLI (AWS command line interpreter) is pre-installed by default on the AWS Linux AMI

Create a user

  • Security, Identity & Compliance > IAM (Identity Access Management) > Users > [Add user]
  • Set user details
    • User name = myHelloUser
  • Select AWS Access type
    • [x] Programmatic
    • [ ] AWS Management Console access
    • [Next: Permissions]
  • Set permissions for myHelloUser
    • Add existing policies directly >
    • [x] AdministratorAccess
    • [Next: Review]
  • Review
    • [Create user]
  • Download the CSV file for the access credentials!

Using the CLI

aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".

Get the values from the .csv file (or copied from the screen when you created the user)

aws configure
AWS Access Key ID [None]: AK..Q2
AWS Secret Access Key [None]: Cx....qc
Default region name [None]: us-east-2
Default output format [None]:
aws s3 ls
2017-08-09 23:37:03 thomasandsofia
2017-08-16 22:18:23 thomasandsofia-singapore
cat ~/.aws/config
[default]
region = us-east-2
cat ~/.aws/credentials
[default]
aws_access_key_id = AK..Q2
aws_secret_access_key = Cx....qc

To find all of the existing EC2 Instance Ids:

aws ec2 describe-instances | grep InstanceId
                    "InstanceId": "i-0575f685101a28be4", 
                    "InstanceId": "i-0f09b4a513f4aa4dc",

To TERMINATE an instance:

aws ec2 terminate-instances --instance-ids i-0f09b4a513f4aa4dc

Creating a Role with Admin Access

Roles are created GLOBALLY and not by region.

  • Security, Identity & Compliance > IAM (Identity Access Management) > Roles > [AWS Service]
  • Create Role
    • Select the type of account USING the role -> EC2
    • Select the Use Case -> EC2
    • [Next: Permissions]
  • Attach permissions policy
    • Policy Type: S3
    • [x] AmazonS3FullAccess
    • [Next: Review]
  • Review
    • Role Name: S3-Admin-Access
    • Role description: (optional)
    • [Create role]

Roles can be assigned at time of provisioned or edited after the services has been created

  • EC2 > select Instance > Actions > Instance Settings > Attach/Replace IAM Role

 

Using the CLI

Log into an EC2 Instance with an S3 Administrator Access role applied.

Display all available buckets

aws s3 ls
2017-07-17 20:47:07 thomasandsofia
2017-08-03 23:47:36 thomasandsofia-singapore

List the contents of a bucket

aws s3 ls s3://thomasandsofia-singapore
2017-08-13 15:51:31     373117 The Hound at Ghost Town.jpg
2017-08-09 23:38:39        197 Versioning.txt
2017-08-26 22:44:29        111 hellothomas.html
2017-08-26 22:44:17        117 index.html
2017-08-13 15:53:51     223010 practicewithpearl.jpg

 

Rumor has it you may not be able to access the contents of a bucket that is in a region other than where the ec2 instance resides. As such, you should ‘–region’ flag followed by the region that your EC2 instance is located in.

Example:

aws s3 ls s3://thomasandsofia-singapore --region us-east-2

**I did not need to use this flag from my Ohio based EC2 instance to reach my Singapore S3 bucket!

Copy a file from the bucket

aws s3 cp s3://thomasandsofia-singapore/hellothomas.html /home/ec2-user
download: s3://thomasandsofia-singapore/hellothomas.html to ../../../home/ec2-user/hellothomas.html

ls /home/ec2-user
hellothomas.html
It doesn’t appear that the AWS SDK allows the use of the ‘*’ wild card character, so files must be called out explicitly. I have heard you ‘can’ use them if you specify the ‘–recursive’ flag, however.

 

Metadata

You must know this going into the exam!!
curl http://169.254.169.254/latest/meta-data/

IP Address

To get your IPv4 address, run:

curl http://169.254.169.254/latest/meta-data/public-ipv4

LEAVE A COMMENT