Saturday, 17 May 2014

How to create an IAM group and users for Amazon Web Services - AWS Developers

This is another in a series of videos that I am producing for my YouTube channel HowDoYouDoStuff.

In this video, I am going to show you how to create an IAM group and users for Amazon Web Services - AWS Developers

You can read the transcript below.

HTML 5 Player


Hi guys. I'm Phil Stirpe.

In this video, I am going to show you how to create an IAM group and users for Amazon Web Services - AWS Developers.

Now have shown how to create an IAM user before in an earlier demo, but I want to focus on creating a user for development purposes.

Because there are a couple of things we need to bear in mind.

And it is IAM users we want to be using rather than the root account.

The last thing we should be doing is using the root account any kind of development. Given the trail you’re going to leave behind.

Let me connect to the IAM service in the AWS console.

As you can see I’ve already got a number of groups and users.

If you imagine we had a group of developers who are about to start work on an application, we’d be adding them in in here.

But the last thing we want to be doing is assigning them individual privileges and that’s why we have groups.

Some going to start with a group. I’m going to create a group called Developers.

As I’ve already suggested, you don’t want to be giving permissions to individual users because that is simply not going to scale.

As new users arrive you’d have to assign them permissions too.

So it makes sense to assign the privileges to a group and then place users into that group as required.

Another important consideration is that you apply the principle of least privilege.

Now when this dialog pops up, it’s expecting me to specify the permissions for my new group.

The developers don’t need full administrative access to the entire AWS cloud. In fact the team I have in mind will just require read and write access to S3. In particular one bucket.

So rather than select one of these set pieces which will grant a wide range of privileges, I’m going to select policy generator.

I can select the desired service, in this case S3. As for actions, I’m going to allow all actions.

Now rather than granting all access to S3 to my group, I just want to restrict it to one specific bucket.

Let me paste in an ARN that I have here to bucket called qa-cookbooks.

In the ARN I have not needed to mention the region which is optional because bucket names are globally unique.

Nor am I had to mention the account number associated with my root account. This is also because bucket names are globally unique.

If I click Add Statement now and then continue, we can see the resulting policy document that is being granted to the group called Developers.

So I’ll go ahead and create the group. There we have it.

I now have a group that has just the privileges that needs and so now I can create some users.

In fact for this demo I’m just going to create one user.

So I’m going to create a user and call that user Frank.

Another important thing here is that we generate an access key for this user. This check box is selected by default, and we do need it selected.

We would need access keys for users who come in via the AWS console but for developers we do because they quite often need to use these keys in the scripts that they write.

So I have made sure that box is checked and I click the Create button.

Now what we need to focus on here is the text in bold. This is the last time that will be able to download these credentials.

There are actually 2 keys. The access key and secret key. I’ll click here to reveal them.

In future will be able to view the access key in the AWS console but this is the last time that we’ll be able to access the secret key.

We need to download these credentials now.

So I’ll click the Download Credentials button and go ahead and open the downloaded file.

You can see the username here and also the associated access key and secret key.

Developers will need these credentials in order to write scripts or indeed to configure Visual Studio or Eclipse to use the AWS Toolkit which will allow them to connect to Amazon Web Services on their behalf.

So now that I’ve downloaded the credentials file, I can close the Create User window.

There you have it.

In this video, I have shown you how easy it is to create an IAM group and users for Amazon Web Services - AWS Developers.

In later videos I’ll show you how to use access keys and secret keys within Visual Studio and Eclipse to configure the AWS Toolkit to help perform development tasks.

Thanks for watching and please feel free to comment on my blog ( and Facebook page ( Perhaps you could suggest more video topics? Most of all, don't forget to subscribe to keep up with my videos as I release them.

Bye for now.

Flash Player

See you soon

Phil Stirpé
"I don't do average!"

No comments:

Post a Comment