When working with Amazon Web Services (AWS), it's important to have a solid understanding of the building blocks of AWS Identity and Access Management (IAM). These building blocks include principals, users, roles, and groups, which are used to manage access to AWS resources.
In this blog post, we will understand the concepts of Users with a working example that you can try on your AWS CloudShell/CLI.
Principals
In AWS IAM, a principal represents a person or application that interacts with AWS resources. It can be an AWS account root user, an IAM user, or an AWS service.
Each principal is assigned a unique AWS identity and has a set of permissions that determine what actions they can perform. A principal is an entity that can be authenticated and authorized to access AWS resources. Here are some examples of principals in AWS:
IAM users
IAM roles
AWS services such as Amazon S3, EC2, and Lambda
Users
An IAM user is an entity that represents a person or application that has been granted access to AWS resources. IAM users are created within an AWS account and can be assigned a set of permissions that allow them to perform specific actions on AWS resources.
Each user is assigned a unique set of security credentials, such as a password or access key, that are used to authenticate their identity and authorize their actions.
Here's an example:
John is a developer who needs to access the Amazon S3 bucket that stores the application code. You create an IAM user for John and assign the necessary permissions to access the S3 bucket.
Create the user named "john"
[cloudshell-user@ip-10-2-62-171 ~]$ aws iam create-user --user-name john
{
"User": {
"Path": "/",
"UserName": "john",
"UserId": "AIDAXXXXXXXXXXXXXX7NC",
"Arn": "arn:aws:iam::786XXXXXX733:user/john",
"CreateDate": "2023-04-24T12:07:57+00:00"
}
}
Create the access key used by John
[cloudshell-user@ip-10-2-62-171 ~]$ aws iam create-access-key --user-name john
{
"AccessKey": {
"UserName": "john",
"AccessKeyId": "AKIAXXXXXXXXSSU65T5Z",
"Status": "Active",
"SecretAccessKey": "TQTe8uAxxxxxxxxxxxxxxxxxxxxhAJKqk",
"CreateDate": "2023-04-24T12:08:14+00:00"
}
}
Create a new S3 bucket and create a folder named "john" in it
[cloudshell-user@ip-10-2-62-171 ~]$ aws s3api create-bucket --bucket "prahari-shared-data" --region 'us-east-1'
{
"Location": "/prahari-shared-data"
}
[cloudshell-user@ip-10-2-62-171 ~]$ aws s3api put-object --bucket prahari-shared-data --key john/ --acl bucket-owner-full-control
{
"ETag": "\"d41d8cd00000000000000ecf8427e\"",
"ServerSideEncryption": "AES256"
}
Apply a policy to the S3 bucket such that the user John can List and Put objects to it.
[cloudshell-user@ip-10-2-62-171 ~]$ aws s3api put-bucket-policy --bucket prahari-shared-data --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::786XXXXXX733:user/john"
},
"Action": [
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::prahari-shared-data",
"arn:aws:s3:::prahari-shared-data/john/*"
]
}
]
}'
Create a test file
[cloudshell-user@ip-10-2-62-171 ~]$ cat > example.txt <<EOF
> this is an example file
> EOF
[cloudshell-user@ip-10-2-62-171 ~]$ cat example.txt
this is an example file
Configure AWS CLI profile to test commands run as John
[cloudshell-user@ip-10-2-62-171 ~]$ aws configure --profile john
AWS Access Key ID [None]: AKIAXXXXXXXXSSU65T5Z
AWS Secret Access Key [None]: TQTe8uAxxxxxxxxxxxxxxxxxxxxhAJKqk
Default region name [None]: us-east-1
Default output format [None]:
Try to upload "example.txt" to the s3://prahari-shared-data/john folder as user John
[cloudshell-user@ip-10-2-62-171 ~]$ aws s3 cp example.txt s3://prahari-shared-data/john/ --profile john
upload: ./example.txt to s3://prahari-shared-data/john/example.txt
In future posts in this series, we'll see working examples for Roles, Groups, Policies, etc.
So stay tuned.
Comentários