Programmatic access to the AWS Cloud API
In order to run the examples presented in IT Wonder Lab, you will need programmatic access to the AWS Cloud API.
The following instructions guide you on the creation of a user for programmatic access with full administration permissions.
Be aware that these instructions should only be used for demos and accounts should be disabled after completion.
These instructions don’t follow the common security practice of Granting Least Privilege.
On other tutorials, we will show how to properly manage security in the cloud.
Sign in AWS Management Console
Sign in AWS Management Console using the email address of your new AWS account created on the Create an AWS Account for Demos post.
Fill in the e-mail address and press Next.
Fill in the password and press Sign in.
Access AWS IAM Service for user management
On the AWS Management Console home, write IAM into the search box and select “IAM Manage User Access and Encryption Keys”
Create a user in AWS IAM Management Console
Click Users on the left menu and click the Add user button.
Add a user
AWS shows a user creation wizard.
AWS IAM Add User: Add tags
In current releases of the AWS console the Add User wizard has been updated to include a new step to Add Tags to the created user. That step is not shown in this tutorial screenshots.
First write a user name.
We like to follow a pattern for all the elements in the infrastructure, since users are part of the infrastructure, start them with a prefix that uniquely identifies this Cloud.
In this case, the prefix will be ditwl that stands for Demo IT Wonder Lab in lowercase. Append the name of the user or a functional description, in our case, the full user name will be ditwl-terraform-user.
AWS allows two types of user access:
- Programmatic access: is used by tools like Terraform that access AWS API for all operations.
- AWS Management Console access: is used by people that need to access Management Console using a web browser.
Since we are creating a user for Terraform to access the AWS API, select Programmatic access for the AWS access type.
Click Next: Permissions
Assign a Group
The recommended way to manage user’s permissions is by assigning users to groups and giving permissions to the groups. Since this is our first user (beyond the root account), press Create group to create our first group.
A new form is shown for Create group. Name the group (we will use ditwl-admins as name) and select AdministratorAccess as Policy. The AdministratorAccess provides full access to AWS services.
Press Create group to go back to the previous screen.
Assign the created group to the user
Assign the previously created group to the user and click Next: Review.
Review user
The review screen shows all the data for the user. Review the correct spelling of the names and group assignments and press Create user.
Download User credentials
The user has been created and AWS shows the Access key ID and the Secret access key. This is the only time that AWS will show the Secret access key.
Press Download .csv to download a CSV file named credentials.csv that contains the credentials or press Show to see the Secret access key on the screen.
The downloaded file credentials.csv contains the following fields [1]:
User name,Password,Access key ID,Secret access key,Console login link ditwl-terraform-user,,A1B2C3D4E5F6G7H8I9J0,QwertYuiopASDFGHJKL123456789sadfghjkvcbn,https://134567891011.signin.aws.amazon.com/console
Keep the credentials safe by storing them under encryption and make sure that you don’t upload the Secret access key to a public repository. The Access Key ID and Secret access key can be used to buy services from AWS that will be charged to your account.
1] The Access key ID, Secret access key and Console login link shown on the example are fake.
