IAM - Basic CLI 🍨
Create IAM identities and experiment.
🍨 Create IAM user.
aws iam create-user --user-name
Path comes in handy, when using variables. will get to that too.
Command Reference
$ aws iam create-user --user-name user1 --path /developer/ --profile ashwiniag
{
"User": {
"Path": "/developer/",
"UserName": "user1",
"UserId": "XXXXXXXXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::2630:user/developer/user1",
"CreateDate": "2019-11-24T02:57:19Z"
}
}
🍨 Groups:
aws iam create-group --path </give-path/> --group-name
Command Reference
$ aws iam create-group --group-name group1 --path /production/ --profile ashwiniag
{
"Group": {
"Path": "/production/",
"GroupName": "group1",
"GroupId": "XXXXXXXXXXXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::2630:group/production/group1",
"CreateDate": "2019-11-24T03:02:19Z"
}
}
🍨 Managed policy:
attach-user-policy: attaches the exsisting policy.
Command Reference
aws iam attach-user-policy --user-name user1 --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --profile ashwiniag
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
🍨 Inline Policy:
How to decide when to use inline policy?
I always have this question in my mind. Well, I have heard its a bad idea to use inline policies because if it gets deleted it's gone! Not like other managed policies where we can detach and attach it back. Imagine if it happens in production and you dont know what permission was set in it? pretty shit!
But I use inline policies because I don't want it to get listed under policies section to avoid accidentally over-writes. Also my policies arent same for all resources and that's why no business of attaching and detaching on my resources. So no point in keeping it in managed lists.
I am gonna write more on this topic when I get satisfactory explanation and understanding.
put-user-policy: creates the policy first and then attaches it.
aws iam put-user-policy --user-name
aws iam put-user-policy --user-name user1 --policy-name InlinePolicy --policy-document file://policy.json --profile ashwiniag
where my policy has:
policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "",
"Resource": ""
}
]
}
Thats a bad idead of allowing all permission to all resources. :|
🍨 Role:
Role is like a Sudo. To use that role and its permission, we need to tell role to let whatsoever iam entity/resource to use it, i.e. we need to define trust relation AssumeRole
I want to create a role for codebuild.
Create a role set trust relation with codebuild, then as ususal attach desired policy to role.
aws iam create-role --role-name
content for trust relation policy: policy2.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"codebuild.amazonaws.com"
]
}
}
]
}
aws iam create-role --role-name codebuildROle --path /service-role/ --assume-role-policy-document file://policy2.json --profile ashwiniag
{
"Role": {
"Path": "/service-role/",
"RoleName": "codebuildROle",
"RoleId": "AROAT2QIZSE5GAGVM6DGY",
"Arn": "arn:aws:iam::2630:role/service-role/codebuildROle",
"CreateDate": "2019-11-24T03:50:30Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"codebuild.amazonaws.com"
]
}
}
]
}
}
}
Some quick commands to get details of
🍨 Role:
aws iam get-role --role-name
Command Reference
aws iam get-role --role-name codebuildROle --profile ashwiniag
{
"Role": {
"Path": "/service-role/",
"RoleName": "codebuildROle",
"RoleId": "XXXXXXXXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::2630:role/service-role/codebuildROle",
"CreateDate": "2019-11-24T03:50:30Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
}
🍨 Account-id/ user-id:
aws sts get-caller-identity --profile ashwiniag
{
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
"Account": "2630",
"Arn": "arn:aws:iam::2630:user/ashwiniag"
}
🍨 List attached policies
Command Reference
aws iam list-attached-user-policies --user-name user1 --profile ashwiniag
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
