{"id":559,"date":"2017-09-20T10:08:47","date_gmt":"2017-09-20T10:08:47","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=559"},"modified":"2020-04-12T22:36:28","modified_gmt":"2020-04-12T22:36:28","slug":"iam-cli-users-and-roles","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=559","title":{"rendered":"IAM CLI &#8211; Users and Roles (40, 41)"},"content":{"rendered":"<p><a href=\"#uaa\">Create a User with AdministratorAccess<\/a><br \/>\n<a href=\"#raa'\">Create a Role with AdministratorAccess<\/a><\/p>\n<p><a name=\"uaa\"><\/a><\/p>\n<h2>Creating a User with AdministratorAccess<\/h2>\n<div class=\"warning\">This method is not recommended because it poses a security risk! Recommended to use Roles instead.<\/div>\n<p>&nbsp;<\/p>\n<ul>\n<li>The CLI (AWS command line interpreter) is pre-installed by default on the AWS Linux AMI<\/li>\n<\/ul>\n<p>Create a user<\/p>\n<ul>\n<li>Security, Identity &amp; Compliance &gt; IAM (Identity Access Management) &gt; Users &gt; [Add user]<\/li>\n<li>Set user details\n<ul>\n<li>User name = myHelloUser<\/li>\n<\/ul>\n<\/li>\n<li>Select AWS Access type\n<ul>\n<li>[x] Programmatic<\/li>\n<li>[ ] AWS Management Console access<\/li>\n<li>[Next: Permissions]<\/li>\n<\/ul>\n<\/li>\n<li>Set permissions for myHelloUser\n<ul>\n<li>Add existing policies directly &gt;<\/li>\n<li>[x] AdministratorAccess<\/li>\n<li>[Next: Review]<\/li>\n<\/ul>\n<\/li>\n<li>Review\n<ul>\n<li>[Create user]<\/li>\n<\/ul>\n<\/li>\n<li>Download the CSV file for the access credentials!<\/li>\n<\/ul>\n<p>Using the CLI<\/p>\n<pre>aws s3 ls\r\nUnable to locate credentials. You can configure credentials by running \"aws configure\".<\/pre>\n<p>Get the values from the .csv file (or copied from the screen when you created the user)<\/p>\n<pre>aws configure\r\nAWS Access Key ID [None]: AK..Q2\r\nAWS Secret Access Key [None]: Cx....qc\r\nDefault region name [None]: us-east-2\r\nDefault output format [None]:<\/pre>\n<pre>aws s3 ls\r\n2017-08-09 23:37:03 thomasandsofia\r\n2017-08-16 22:18:23 thomasandsofia-singapore<\/pre>\n<pre>cat ~\/.aws\/config\r\n[default]\r\nregion = us-east-2<\/pre>\n<pre>cat ~\/.aws\/credentials\r\n[default]\r\naws_access_key_id = AK..Q2\r\naws_secret_access_key = Cx....qc<\/pre>\n<p>To find all of the existing EC2 Instance Ids:<\/p>\n<pre>aws ec2 describe-instances | grep InstanceId\r\n                    \"InstanceId\": \"i-0575f685101a28be4\", \r\n                    \"InstanceId\": \"i-0f09b4a513f4aa4dc\",<\/pre>\n<p>To TERMINATE an instance:<\/p>\n<pre>aws ec2 terminate-instances --instance-ids i-0f09b4a513f4aa4dc<\/pre>\n<p><a name=\"raa\"><\/a><\/p>\n<h2>Creating a Role with Admin Access<\/h2>\n<p>Roles are created GLOBALLY and not by region.<\/p>\n<ul>\n<li>Security, Identity &amp; Compliance &gt; IAM (Identity Access Management) &gt; Roles &gt; [AWS Service]<\/li>\n<li>Create Role\n<ul>\n<li>Select the type of account USING the role -&gt; EC2<\/li>\n<li>Select the Use Case -&gt; EC2<\/li>\n<li>[Next: Permissions]<\/li>\n<\/ul>\n<\/li>\n<li>Attach permissions policy\n<ul>\n<li>Policy Type: S3<\/li>\n<li>[x] AmazonS3FullAccess<\/li>\n<li>[Next: Review]<\/li>\n<\/ul>\n<\/li>\n<li>Review\n<ul>\n<li>Role Name: S3-Admin-Access<\/li>\n<li>Role description: (optional)<\/li>\n<li>[Create role]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Roles can be assigned at time of provisioned or edited after the services has been created<\/p>\n<ul>\n<li>EC2 &gt; select Instance &gt; Actions &gt; Instance Settings &gt; Attach\/Replace IAM Role<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Using the CLI<\/h2>\n<p>Log into an EC2 Instance with an S3 Administrator Access role applied.<\/p>\n<p>Display all available buckets<\/p>\n<pre>aws s3 ls\r\n2017-07-17 20:47:07 thomasandsofia\r\n2017-08-03 23:47:36 thomasandsofia-singapore\r\n<\/pre>\n<p>List the contents of a bucket<\/p>\n<pre>aws s3 ls s3:\/\/thomasandsofia-singapore\r\n2017-08-13 15:51:31     373117 The Hound at Ghost Town.jpg\r\n2017-08-09 23:38:39        197 Versioning.txt\r\n2017-08-26 22:44:29        111 hellothomas.html\r\n2017-08-26 22:44:17        117 index.html\r\n2017-08-13 15:53:51     223010 practicewithpearl.jpg\r\n<\/pre>\n<p>&nbsp;<\/p>\n<div class=\"warning\">\n<p>Rumor has it you may not be able to access the contents of a bucket that is in a region other than where the ec2 instance resides. As such, you should &#8216;&#8211;region&#8217; flag followed by the region that your EC2 instance is located in.<\/p>\n<p>Example:<\/p>\n<pre>aws s3 ls s3:\/\/thomasandsofia-singapore --region us-east-2<\/pre>\n<p>**I did not need to use this flag from my Ohio based EC2 instance to reach my Singapore S3 bucket!<\/p>\n<\/div>\n<p>Copy a file from the bucket<\/p>\n<pre>aws s3 cp s3:\/\/thomasandsofia-singapore\/hellothomas.html \/home\/ec2-user\r\ndownload: s3:\/\/thomasandsofia-singapore\/hellothomas.html to ..\/..\/..\/home\/ec2-user\/hellothomas.html\r\n<\/pre>\n<pre>ls \/home\/ec2-user\r\nhellothomas.html\r\n<\/pre>\n<div class=\"warning\">It doesn&#8217;t appear that the AWS SDK allows the use of the &#8216;*&#8217; wild card character, so files must be called out explicitly. I have heard you &#8216;can&#8217; use them if you specify the &#8216;&#8211;recursive&#8217; flag, however.<\/div>\n<p>&nbsp;<\/p>\n<h3>Metadata<\/h3>\n<div class=\"notice\">You must know this going into the exam!!<\/div>\n<pre>curl http:\/\/169.254.169.254\/latest\/meta-data\/<\/pre>\n<h4>IP Address<\/h4>\n<p>To get your IPv4 address, run:<\/p>\n<pre>curl http:\/\/169.254.169.254\/latest\/meta-data\/public-ipv4<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Create a User with AdministratorAccess Create a Role with AdministratorAccess Creating a User with AdministratorAccess This method is not recommended because it poses a security risk! Recommended to use Roles instead. &nbsp; The CLI (AWS command line interpreter) is pre-installed by default on the AWS Linux AMI Create a user Security, Identity &amp; Compliance &gt; ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=559\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[],"class_list":["post-559","post","type-post","status-publish","format-standard","hentry","category-amazon-web-services-aws"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=559"}],"version-history":[{"count":13,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/559\/revisions"}],"predecessor-version":[{"id":2652,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/559\/revisions\/2652"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}