AWS Identity and Access Management

Part 1 of 3

IAM Overview
Image via Amazon.com

In 2011, Amazon announced the availability of AWS Identity & Access Management (IAM) support for CloudFront. IAM was launched in 2010 and included S3 support. AWS Identity & Access Management (IAM) enables you to have multiple users within an AWS account. If you have used Amazon Web Services (AWS), you are aware that the only way to manage content in AWS involved giving out your user name and password or access keys.

This is a real security concern for most of us. IAM eliminates the need to share passwords and access keys.

Constantly changing our main AWS password or generating new keys is just a messy solution when a staff member would leave our team. AWS Identity & Access Management (IAM) was a good start allowing individual user accounts with individual keys. However, we are a S3/CloudFront user so we have been watching for CloudFront to be added to IAM which finally happened.

I found the documentation on this service to be a bit scattered. There are a few 3rd party products that offer a range of support for Identity & Access Management (IAM). But developers are usually thrifty so I sought a free solution to managing IAM with our Amazon S3 service.

This article walks through the process of setting up the Command Line Interface that supports IAM and setting up a group/user with S3 access. You need to have an Amazon AWS S3 account setup before you begin configuring Identity & Access Management (IAM).

My article, Using the Amazon Simple Storage Service (S3), will walk you through the process of setting up an AWS S3 account.

Here are the steps involved in setting up and implementing a user in IAM. This is written for Windows but you can tweak for use in Linux, UNIX and/or Mac OSX.

  1. Install and configure the Command Line Interface (CLI)
  1. Create a Group
  2. Give Group Access to S3 Bucket and CloudFront
  3. Create User and Add to Group
  4. Create Login Profile and Create Keys
  5. Test Access

Install and configure the Command Line Interface (CLI)

The IAM Command Line Toolkit is a Java program available in Amazon's AWS Developers Tools. The tool allows you to execute IAM API commands from a shell utility (DOS for Windows).

  • You need to be running Java 1.6 or higher. You can download the latest version from Java.com. To see which version is installed on your Windows system, open the Command Prompt and type in java -version. This assumes that java.exe is in your PATH.
  • Download the IAM CLI toolkit and unzip somewhere on your local drive.
  • There are 2 files in the root of the CLI toolkit that you need to update.
    • aws-credential.template: This file holds your AWS credentials. Add your AWSAccessKeyId and your AWSSecretKey, save and close the file.
    • client-config.template: You only need to update this file if you require a proxy server. Remove the # signs and update ClientProxyHost, ClientProxyPort, ClientProxyUsername and ClientProxyPassword. Save and close the file.
  • The next step involves adding Environment Variables. Go to Control Panel | System Properties | Advanced system settings | Environment Variables. Add the following variables:
    • AWS_IAM_HOME: Set this variable to the directory where you unzipped the CLI toolkit. If you are running Windows and unzipped it at the root of your C drive, the variable would be C:\IAMCli-1.2.0.
    • JAVA_HOME: Set this variable to the directory where Java is installed. This would be the location of the java.exe file. In a normal Windows 7 Java installation, this would be something like C:\Program Files (x86)\Java\jre6.
    • AWS_CREDENTIAL_FILE: Set this variable to the path and file name of the aws-credential.template that you updated above. If you are running Windows and unzipped it at the root of your C drive, the variable would be C:\IAMCli-1.2.0\aws-credential.template.
    • CLIENT_CONFIG_FILE: You only need to add this environment variable if you require a proxy server. If you are running Windows and unzipped it at the root of your C drive, the variable would be C:\IAMCli-1.2.0\client-config.template. Don't add this variable unless you need it.
  • Test the installation by going to the Command Prompt and entering iam-userlistbypath. As long as you don't receive an error, you should be good to go.

All of the IAM commands can be run from the Command Prompt. All of the commands begin with "iam-".

Create a Group

There is a maximum of 100 groups that can be created for each AWS account. While you can set permissions in IAM at the user level, using groups would be the best practice. Here is the process for creating a group in IAM.

  • The syntax for creating a group is iam-groupcreate -g GROUPNAME [-p PATH] [-v] where the -p and -v are options. Full documentation on the Command Line Interface is available on AWS Docs.
  • If you wanted to create a group called "awesomeusers", you would enter, iam-groupcreate -g awesomeusers at the Command Prompt.
  • You can check that the group was created correctly by entering iam-grouplistbypath at the Command Prompt. If you had only created this group, the output would be something like "arn:aws:iam::123456789012:group/awesomeusers", where the number is your AWS account number.

Give Group Access to S3 Bucket and CloudFront

Policies control what your group is able to do in S3 or CloudFront. By default, your group wouldn't have access to anything in AWS. I found the documentation on policies to be OK but in creating a handful of policies, I did a bit of trial and error to get things working the the way I wanted them to work.

You have a couple of options for creating policies.

One option is you can enter them directly into the Command Prompt. Since you might be creating a policy and tweaking it, for me it seemed easier to add the policy into a text file and then upload the text file as a parameter with the command iam-groupuploadpolicy. Here is the process using a text file and uploading to IAM.

  • Use something like Notepad and enter the following text and save the file:

    {
         "Statement":[{
             "Effect":"Allow",
             "Action":"s3:*",
            "Resource":[
                 "arn:aws:s3:::BUCKETNAME",
                 "arn:aws:s3:::BUCKETNAME/*"]
          },
         {
             "Effect":"Allow",
             "Action":"s3:ListAllMyBuckets",
            "Resource":"arn:aws:s3:::*"
          },
         {
            "Effect":"Allow",
            "Action":["cloudfront:*"],
            "Resource":"*"
         }
       ]
    }
     
  • There are 3 sections to this policy. The Effect is used to Allow or Deny some type of access. The Action is the specific things the group can do. The Resource would be used to give access to individual buckets.
  • You can limit the Actions individually. In this example, "Action":["s3:GetObject","s3:ListBucket","s3:GetObjectVersion"], the group would be able to list the contents of a bucket and download objects.
  • The first section "Allows" the group to perform all S3 actions for the bucket "BUCKETNAME".
  • The second section "Allows" the group to list all the buckets in S3. You need this so you can actually see the list of buckets if you use something like the AWS Console.
  • The third section gives the group full access to CloudFront.

There are lots of options when comes to IAM policies. Amazon has a really cool tool available called the AWS Policy Generator. This tool provides a GUI where you can create your policies and generate the actual code you need to implement the policy. You can also check out the Access Policy Language section of the Using AWS Identity and Access Management online documentation.

Create User and Add to Group

The process of creating a new user and adding to a group to provide them access involves a couple of steps.

  • The syntax for creating a user is iam-usercreate -u USERNAME [-p PATH] [-g GROUPS ...] [-k] [-v] where the -p, -g, -k and -v are options. Full documentation on the Command Line Interface is available on AWS Docs.
  • If you wanted to create a user "bob", you would enter, iam-usercreate -u bob -g awesomeusers at the Command Prompt.
  • You can check that the user was created correctly by entering iam-grouplistusers -g awesomeusers at the Command Prompt. If you had only created this user, the output would be something like "arn:aws:iam::123456789012:user/bob", where the number is your AWS account number.

Create Logon Profile and Create Keys

At this point, you have created a user but you need to provide them with a way to actually add and remove objects from S3.

There are 2 options available to provide your users with access to S3 using IAM. You can create a Login Profile and provide your users with a password. They can use their credentials to log into the Amazon AWS Console. The other option is to give your users an access key and a secret key. They can use these keys in 3rd party tools like S3 Fox, CloudBerry S3 Explorer or S3 Browser.

Create Login Profile

Creating a Login Profile for your S3 users provides them with a user name and password that they can use to login to the Amazon AWS Console.

  • The syntax for creating a login profile is iam-useraddloginprofile -u USERNAME -p PASSWORD. Full documentation on the Command Line Interface is available on AWS Docs.
  • If you wanted to create a login profile for the user "bob", you would enter, iam-useraddloginprofile -u bob -p PASSWORD at the Command Prompt.
  • You can check that the login profile was created correctly by entering iam-usergetloginprofile -u bob at the Command Prompt. If you had created a login profile for bob, the output would be something like "Login Profile exists for user bob".

Create Keys

Creating an AWS Secret Access Key and corresponding AWS Access Key ID will allow your users to use 3rd party software like the ones previously mentioned. Keep in mind that as a security measure, you can only get these keys during the process of adding the user profile. Make sure you copy and paste the output from the Command Prompt and save in a text file. You can send the file to your user.

  • The syntax for adding keys for a user is iam-useraddkey [-u USERNAME]. Full documentation on the Command Line Interface is available on AWS Docs.
  • If you wanted to create keys for the user "bob", you would enter iam-useraddkey -u bob at the Command Prompt.
  • The command will output the keys which would look something like this:
    AKIACOOB5BQVEXAMPLE
    BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE

    The first line is the Access Key ID and the second line is the Secret Access Key. You need both for 3rd party software.

    Test Access

    Now that you have created IAM groups/users and given the groups access using policies, you need to test the access.

    Console Access

    Your users can use their user name and password to login into the AWS Console. However, this is not the regular console login page which is used for the main AWS account.

    There is a special URL that you can use which will provide a login form for your Amazon AWS account only. Here is the URL to login to S3 for your IAM users.

    https://AWS-ACCOUNT-NUMBER.signin.aws.amazon.com/console/s3

    The AWS-ACCOUNT-NUMBER is your regular AWS account number. You can get this by logging into the Amazon Web Service Sign In form. Login and click on Account | Account Activity. Your account number is in the upper right corner. Make sure you remove the dashes. The URL would look something like https://123456789012.signin.aws.amazon.com/console/s3.

    Using Access Keys

    You can download and install any of the 3rd party tools already mentioned in this article. Enter your Access Key ID and the Secret Access Key per the 3rd party tool documentation.

    I strongly recommend that you create an initial user and have that user fully test that they can do everything they need to do in S3. After you verify one of your users, you can proceed with setting up all of your S3 users.

    Resources

    Here are a few resources to give you a better understanding of Identity & Access Management (IAM).

    More From Us