m (→IAM Concepts: formatting) |
(→Getting Started with IAM: Drop ancient euca2ools 2 warning) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 31: | Line 31: | ||
A '''login profile''' is a username and password that allow a user to log into the AWS website. Since accounts are always associated with their own passwords they cannot have login profiles. | A '''login profile''' is a username and password that allow a user to log into the AWS website. Since accounts are always associated with their own passwords they cannot have login profiles. | ||
=== Groups === | |||
A '''group''' is a collection of users. By sorting users into groups you can simplify user management. A given user can belong to more than one group. | A '''group''' is a collection of users. By sorting users into groups you can simplify user management. A given user can belong to more than one group. | ||
Line 49: | Line 49: | ||
== Why Use IAM? == | == Why Use IAM? == | ||
Using account credentials for everything is akin to logging into a computer as the <code>root</code> user for daily work. While it may be easier, doing so opens you up to unnecessary risks in the event of a mistake | Using account credentials for everything is akin to logging into a computer as the <code>root</code> user for daily work. While it may be easier, doing so opens you up to unnecessary risks in the event of a mistake or a breach of security. | ||
Some examples of when IAM is useful include: | Some examples of when IAM is useful include: | ||
Line 58: | Line 58: | ||
== Getting Started with IAM == | == Getting Started with IAM == | ||
What follows are some examples of how to use IAM. The setup from the first example is required to be able to complete the rest of the examples. | |||
=== Get Your Account Details === | === Get Your Account Details === | ||
Line 129: | Line 129: | ||
==== Create an Administrative User ==== | ==== Create an Administrative User ==== | ||
Next, create a user for day-to-day administrative work and add that user to the <code>administrators</code> group. | |||
<pre> | |||
$ euare-usercreate -u alice | |||
$ euare-groupadduser -g administrators -u alice | |||
</pre> | |||
==== Switch to the Administrative User ==== | |||
To start running commands as the new user you need to create an access key for that user: | |||
<pre> | |||
$ euare-useraddkey -u alice | |||
AKIAJ25S6IJ5K53Y5GCA | |||
QLKyiCpfjWAvlo9pWqWCbuGB9L3T61w7nYYF057l | |||
</pre> | |||
This command displays two lines of text. The first is the user's access key ID, while the second is the user's secret key. Open ~/.iamrc with your favorite editor, replace the account credentials you added earlier with the user's credentials you just created, and then switch euca2ools over to using those. | |||
<pre> | |||
$ ed ~/.iamrc | |||
$ source ~/.eucarc | |||
</pre> | |||
{{admon/note|Active keys are limited|AWS limits each user to '''two''' access keys at a time. <code>euare-userlistkeys</code> can list a user's keys, while <code>euare-userdelkey</code> can delete them.}} | |||
=== Create a Limited User === | |||
In this example we will create a limited user for an automated script that creates snapshots of volumes in EC2. This will give the script permission to perform its function, while preventing it (or anyone who gets their hands on the script's credentials) from doing anything else. | |||
==== Create a Group for the Purpose ==== | |||
Amazon recommends applying permissions to groups, not users, so create a <code>ebs-backup</code> group for this purpose: <pre>$ euare-groupcreate -g ebs-backup</pre> | |||
Next, this group needs a policy that allows its members to create snapshots. The easiest way to create non-trivial policies is with Amazon's [http://awspolicygen.s3.amazonaws.com/policygen.html Policy Generator], where you can create a policy for the ''Amazon EC2'' service that allows the ''CreateSnapshot'' action by choosing the appropriate options. You end up with a policy that looks like this: | |||
<pre> | |||
{ | |||
"Statement": [ | |||
{ | |||
"Action": [ | |||
"ec2:CreateSnapshot" | |||
], | |||
"Effect": "Allow", | |||
"Resource": "*" | |||
} | |||
] | |||
} | |||
</pre> | |||
Open up your favorite editor and write this policy to a file such as <code>allow-snapshot.json</code>. Then, add a new policy to the group based on this file: <pre>$ euare-groupuploadpolicy -g ebs-backup -p allow-snapshot -f allow-snapshot.json</pre> | |||
==== Create a User for the Script ==== | |||
Finally, create a user for the script in question, add that user to the group, and generate a key that it can use to talk to EC2: | |||
<pre> | |||
$ euare-usercreate -u myscript -g ebs-backup -k | |||
AKIAJ25S6IJ5K53Y5GCA | |||
QLKyiCpfjWAvlo9pWqWCbuGB9L3T61w7nYYF057l | |||
</pre> | |||
Did you notice the shortcut? By passing <code>-g ebs-backup</code> to <code>euare-usercreate</code> you added the new user to the <code>ebs-backup</code>. By passing it <code>-k</code> you created a new key immediately. | |||
=== Delete a User === | |||
When a user is no longer needed you can delete it with <code>euare-userdel</code>. Before a user can be deleted it must first be removed from all groups and have no policies, keys, certificates, or login profiles. If this sounds annoying, that is because it is. So if you wish, <code>euare-userdel</code> will delete them all for you if you pass it <code>-r</code>: <pre>$ euare-userdel -u bob -r</pre> | |||
=== Delete a Group === | |||
You can delete a group with <code>euare-groupdel</code>. This has the same caveats as deleting a user. <code>euare-groupdel</code> also supports the <code>-r</code> switch: <pre>$ euare-groupdel -g mygroup -r</pre> | |||
=== Create or Delete a Login Profile === | |||
A login profile is a password that allows a user to log into AWS's web-based console. A user can have up to one login profile at a time. You can manage login profiles with <code>euare-useraddloginprofile</code>, <code>euare-usergetloginprofile</code>, and <code>euare-userdelloginprofile</code>. | |||
A user with a login profile can log into AWS's web console at https://''your_AWS_Account_ID''.signin.aws.amazon.com/console/. Since account IDs are numeric and can be difficult to remember, you can also create an '''account alias''' to use instead: <pre>$ euare-accountaliascreate -a myaccount</pre> | |||
Account aliases can only be created with account credentials. | |||
[[Category:Cloud SIG]] | [[Category:Cloud SIG]] |
Latest revision as of 18:29, 10 September 2013
Amazon Identity and Access Management (IAM) is a web service that allows one to manage users and groups, and assign permissions to them as needed to improve the security of one's Amazon Web Services (AWS) account. By using IAM you can easily consolidate billing, make key rotation easier, and limit the damage that a compromised set of credentials can cause. The objective of this primer is to familiarize the reader with IAM's functionality and terminology. For more detailed documentation, see the AWS website. For help with Fedora on EC2, ask the Fedora Cloud SIG.
IAM Concepts
IAM involves several types of entities as well as permissions that you grant to entities in your AWS account.
Accounts
When you sign up for AWS you create an account, an entity that centrally controls all the resources that you create and pays for all of its activity. An account is similar to the superuser on a regular computer in that it always has permission to use all of AWS's functionality. It also has a password that allows you to access the AWS website and view billing information.
Users
A user is an entity that represents a person, a computer, or a program that can interact with AWS in the same manner as an account. Unlike an account, however, you can restrict a user to a subset of all of AWS's functionality.
Security Credentials
Both accounts and users use security credentials to interact with AWS programmatically. Tools use security credentials to cryptographically sign the messages they send to AWS so they can prove who they represent. Whether a set of credentials belongs to a user or an account, the ways in which they are used are identical.
There are three types of security credentials:
Access Keys
Access keys come in pairs: a secret access key and an access key ID. Most tools require this type of credentials.
X.509 Certificates
An X.509 Certificate (the same type of certificate used by web servers everywhere) comes with a matching private key. Whether or not this type of credential is necessary depends on the tools you use.
Login Profiles
A login profile is a username and password that allow a user to log into the AWS website. Since accounts are always associated with their own passwords they cannot have login profiles.
Groups
A group is a collection of users. By sorting users into groups you can simplify user management. A given user can belong to more than one group.
Resources
A resource is an object in an AWS service that you can interact with, such as a bucket or object in Amazon S3. Resources typically have both human-readable names (e.g. mybucket) and unique, machine-readable names.
Policies
A policy states that a user or group is allowed to access a set of resources or run a set of commands in AWS. For instance, a policy may state that the S3 bucket called mybucket
should be readable by the users alice
and bob
. Alternatively, a permission may state that the user alice
has permission to run instances in Amazon EC2.
Policies can deny access instead of allowing access. A policy that explicitly denies access always takes precedence over a policy that allows access.
Policies are discussed in detail in Amazon's IAM documentation.
Why Use IAM?
Using account credentials for everything is akin to logging into a computer as the root
user for daily work. While it may be easier, doing so opens you up to unnecessary risks in the event of a mistake or a breach of security.
Some examples of when IAM is useful include:
- Limiting the effects of errors in automated scripts
- Providing limited, short-term accounts for a Fedora test day inside of EC2
Getting Started with IAM
What follows are some examples of how to use IAM. The setup from the first example is required to be able to complete the rest of the examples.
Get Your Account Details
One can interact with IAM through either a web-based management console or via euca2ools, a suite of command line tools designed for services like IAM. This tutorial will focus on using IAM with euca2ools at the command line. This tutorial also assumes that you already have an active AWS account.
To use the command line tools you first need to obtain access keys for your account. You can find them by going to the AWS management console on the web, clicking your name on the top, followed by
Security Credentials, and scrolling down to the section titled Access Credentials. Make note of the Access Key ID and the Secret Access Key that appears beside it. Both of them should be long sets of alphanumeric characters. Create a file called .iamrc
in your home directory that contains those keys in this format:
AWSAccessKeyId=your_access_key_id AWSSecretKey=your_secret_key
Since euca2ools is designed to work with all AWS-compatible clouds, not just AWS itself, it needs to know which cloud to contact. Create a file called .eucarc
in your home directory with the following content to point it toward AWS:
export AWS_CREDENTIAL_FILE=~/.iamrc export EC2_URL=https://ec2.amazonaws.com/ export S3_URL=https://s3.amazonaws.com/ export EUARE_URL=https://iam.amazonaws.com/ source "$AWS_CREDENTIAL_FILE" export EC2_ACCESS_KEY=$AWSAccessKeyId export EC2_SECRET_KEY=$AWSSecretKey export AWS_ACCESS_KEY=$AWSAccessKeyId export AWS_SECRET_ACCESS_KEY=$AWSSecretKey
Finally, add these settings to your shell's environment by running:
$ source ~/.eucarc
Do Initial Setup
Install the Command Line Tools
Install the euca2ools package. To do so with yum, run:
# yum install euca2ools
Create an Administrative Group
Amazon recommends using account credentials as little as possible. You can avoid using account credentials by creating a group of users with administrative privileges. First create a group called administrators
:
$ euare-groupcreate -g administrators
If you wish, you can show a list of your groups to check that the command worked:
$ euare-grouplistbypath arn:aws:iam::123456789012:group/administrators
Add a Policy to the Administrative Group
Then add a policy to the administrators
group that allows its members to perform all actions in AWS.
You can add such a policy with the following command:
$ euare-groupaddpolicy -p admin-root -g administrators -e Allow -a "*" -r "*" -o
Taken literally, this command has six parts:
euare-groupaddpolicy |
Add a policy to a group... |
-p admin-root |
called admin-root ...
|
-g administrators |
to group administrators ...
|
-e Allow |
that will Allow ...
|
-a "*" |
all actions... |
-r "*" |
on all resources. |
While IAM policies are typically written in a machine-readable format called JSON, this policy is simple enough that it is unnecessary. Regardless of their complexity, IAM policies are always broken into sections in the manner shown above.
Create an Administrative User
Next, create a user for day-to-day administrative work and add that user to the administrators
group.
$ euare-usercreate -u alice $ euare-groupadduser -g administrators -u alice
Switch to the Administrative User
To start running commands as the new user you need to create an access key for that user:
$ euare-useraddkey -u alice AKIAJ25S6IJ5K53Y5GCA QLKyiCpfjWAvlo9pWqWCbuGB9L3T61w7nYYF057l
This command displays two lines of text. The first is the user's access key ID, while the second is the user's secret key. Open ~/.iamrc with your favorite editor, replace the account credentials you added earlier with the user's credentials you just created, and then switch euca2ools over to using those.
$ ed ~/.iamrc $ source ~/.eucarc
Create a Limited User
In this example we will create a limited user for an automated script that creates snapshots of volumes in EC2. This will give the script permission to perform its function, while preventing it (or anyone who gets their hands on the script's credentials) from doing anything else.
Create a Group for the Purpose
Amazon recommends applying permissions to groups, not users, so create a ebs-backup
group for this purpose:
$ euare-groupcreate -g ebs-backup
Next, this group needs a policy that allows its members to create snapshots. The easiest way to create non-trivial policies is with Amazon's Policy Generator, where you can create a policy for the Amazon EC2 service that allows the CreateSnapshot action by choosing the appropriate options. You end up with a policy that looks like this:
{ "Statement": [ { "Action": [ "ec2:CreateSnapshot" ], "Effect": "Allow", "Resource": "*" } ] }
Open up your favorite editor and write this policy to a file such as allow-snapshot.json
. Then, add a new policy to the group based on this file:
$ euare-groupuploadpolicy -g ebs-backup -p allow-snapshot -f allow-snapshot.json
Create a User for the Script
Finally, create a user for the script in question, add that user to the group, and generate a key that it can use to talk to EC2:
$ euare-usercreate -u myscript -g ebs-backup -k AKIAJ25S6IJ5K53Y5GCA QLKyiCpfjWAvlo9pWqWCbuGB9L3T61w7nYYF057l
Did you notice the shortcut? By passing -g ebs-backup
to euare-usercreate
you added the new user to the ebs-backup
. By passing it -k
you created a new key immediately.
Delete a User
When a user is no longer needed you can delete it with euare-userdel
. Before a user can be deleted it must first be removed from all groups and have no policies, keys, certificates, or login profiles. If this sounds annoying, that is because it is. So if you wish, euare-userdel
will delete them all for you if you pass it -r
:
$ euare-userdel -u bob -r
Delete a Group
You can delete a group with euare-groupdel
. This has the same caveats as deleting a user. euare-groupdel
also supports the -r
switch:
$ euare-groupdel -g mygroup -r
Create or Delete a Login Profile
A login profile is a password that allows a user to log into AWS's web-based console. A user can have up to one login profile at a time. You can manage login profiles with euare-useraddloginprofile
, euare-usergetloginprofile
, and euare-userdelloginprofile
.
A user with a login profile can log into AWS's web console at https://your_AWS_Account_ID.signin.aws.amazon.com/console/. Since account IDs are numeric and can be difficult to remember, you can also create an account alias to use instead:
$ euare-accountaliascreate -a myaccount
Account aliases can only be created with account credentials.