Learn to use AWS IAM in command line
Israel-Lopes
Posted on May 10, 2023
If you landed here by parachute and don't know how to configure LocalStack to simulate an AWS environment, follow this post: Simulating AWS CLI with LocalStack
What is IAM?
IAM (Identity and Access Management) is an AWS service that allows you to securely manage access to AWS resources and services. It provides granular control over permissions and access policies for users, groups, roles, and services within your AWS account.
IAM lets you create and manage identities (users, groups, and roles) and assign
permissions specific to those identities. Some of the main features and
IAM features include:
User Management: You can create IAM users and provide credentials
login for them. Each user will have a set of unique credentials
to authenticate to the AWS account.Groups: You can organize users into logical groups and assign permissions at the group level.
This simplifies permission administration as you can add or remove users from
a group and the permissions will be applied automatically.IAM Roles: IAM roles allow you to grant temporary permissions to services and
AWS applications. This is useful when you want to allow a service to access
other resources in your account on your behalf, without having to share access credentials.IAM Policies: IAM policies are JSON documents that define permissions for
users, groups, and roles. You can create custom policies to meet requirements
access specifics and assign those policies to identities.Integration with Other Services: IAM integrates with many AWS services, allowing you to
control access to specific features in those services. For example, you can define policies
access to S3 buckets, EC2 instances, SQS queues and many others.
Creating user in IAM
Now let's learn how to create our first user in IAM, just follow the command below:
aws iam create-user --user-name <username>
We can now list our user: aws iam list-users
After the user has been created, we can now grant access to him. Here's an example:
aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/MyPolicy
Replace <username>
with the username you created and
arn:aws:iam::aws:policy/MyPolicy
by the ARN (Amazon Resource Name) of the
policy you want to associate.
Below is a list of the most common policies to apply:
- AmazonS3FullAccess: Grants full access to Amazon S3 storage services.
- AmazonEC2FullAccess: Grants full access to Amazon EC2(Elastic Compute Cloud) services.
- AmazonDynamoDBFullAccess: Grants full access to Amazon DynamoDB services.
- AmazonRDSFullAccess: Grants full access to Amazon RDS (Relational Database Service) services.
- AmazonSQSFullAccess: Grants full access to Amazon SQS (Simple Queue Service) services.
- AmazonSNSFullAccess: Grants full access to Amazon SNS (Simple Notification Service) services.
- AWSLambdaFullAccess: Grants full access to AWS Lambda services.
- AWSReadOnlyAccess: Grants read-only access to a wide range of AWS services.
If you want to see more policies, access the link politicas
Continuing, I want to give access to the user Luis to have access to Dynamo, in this case:
aws iam attach-user-policy --user-name Luis --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
Now let's list the accesses of our user Luis:
aws iam list-attached-user-policies --user-name Luis
It will return the following:
{
"AttachedPolicies": [
{
"PolicyName": "AmazonDynamoDBFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
}
]
}
I want to remove the access that I was given to the user, how do you do it now?
Just follow the example, let's remove the access we just gave Luis:
aws iam detach-user-policy --user-name Luis --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
Listing the user accesses, it should return:
{
"AttachedPolicies": []
}
This way, we just detach AmazonDynamoDBFullAccess access to the user Luis.
We move on now.
Now let's delete the user Luis:
aws iam delete-user --user-name Luis
Finish
We learned here how to create users, set access policies, remove them and delete users.
There are more features that IAM can offer, but I've only presented the basics.
Posted on May 10, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 27, 2024