IAM Create Users and Assign Groups
In the previous article we had set up an MFA for our root account. In this article we will go ahead and create a new user, and also give them limited access to AWS resources by creating a group and attaching a policy.
Make sure you’re on the IAM page by clicking Services and then IAM under Security, Identity and Compliance . Click on Users on the sidebar and then click Add User at the top.
You need to fill in a username, access type, optionally a custom password and whether password reset is required. Not that the username can contain alphanumeric characters, or any of the following: _+=,.@-
Once all fields are selected click Next
In the Permissions page there are the following options:
- Add User to group
- Copy permissions from existing user
- Attach existing policies directly
Policies are just a document containing what permission you wish to grant to your users (or AWS services). Let’s first create a group as we don’t have one. We’ll be using an existing policy provided by AWS and attach it to the group.
We’ll give our group a name and look for a suitable policy. As you may have noticed there are a ton of policies provided by AWS. Let’s take a peek at what a policy looks like. Click on the expansion arrow on the left of a policy and then click JSON.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
This is the policy for AdministratorAccess. All it says is that anyone in this group can perform any action on any resource, resource being an AWS Service.
A more precise policy could look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:LookupDeveloperIdentity",
"cognito-identity:MergeDeveloperIdentities",
"cognito-identity:UnlinkDeveloperIdentity"
],
"Resource": "*"
}
]
}
Here we are only allowing the users to do certain actions on AWS Cognito.
Check the AdministratorAccess (or any other policy you would like to use) and click Create group. You can now add tags to a user if you like. Tags are useful if you want to perform some operation collectively on a few users. This is different for groups as groups give you access to certain resources.
We can then review our options and create the user. But we’re not done yet.
We now get a key pair that can be used to access AWS services through the terminal using SSH. You must store these somewhere securely as they will not appear again if lost. You’ll need to generate a new key pair. Click download .csv to download and store the file.
That’s it! We just created a user and attached a policy to them through groups. Easy peasy isn’t it?
We can also create groups directly by going to the IAM page and clicking on Groups and then Create a new Group.
I created a group called marketing and gave it S3FullAccess.
If I now try to go ahead and create a user, I can see the list of groups that we had created above.
So I went ahead and created another user with in the Marketing group.
Now if we click on any of the users under IAM > Users, we can view all details of the user.
And our group is visible here as well!
Also, if you go to the Permissions tab and click on Add permissions, you can add permissions directly without adding the user to another group.