I am noob on AWS, I need to deploy an app there but I don't want to pay for it, instead the person who asked me to do the the app must be the payer, How can I do this? I saw that I can create IAM users but I don't see any documentation to delegate the payment to one IAM user and I am scared of being charged for something that I am not benefiting, I am missunderstanding the concept of IAM users? where can I find docs for achieve this purpose?
Related
If i want to use codestar, I need to create a developer account, which is probably pretty weird. But it is even more weird, that i get redirected to creating an Amazon account.
Can anyone explain me why this is the case?
You have to pay attention to the application type
Select the right application type and AWS service in the template section
For example, if you chose AWS EC2 and Web application, AWS won't ask you for an Amazon developer account
I'm not sure wether or not this is possible. We have a couple of different Amazon Web Service Accounts, in this case let us just call them:
Test environment 1
Test environment 2
Production environment
I really want to manage as much as possible with our google accounts. Let us say, as a developer i have access to all three accounts in AWS, and i want to be able to access all these accounts with this one mail. (is this even possible?).
I have tried following this guide: https://wheniwork.engineering/how-to-setup-google-sso-and-aws-4496f054a707
The saml login with google works just fine, but im not really sure how i can change accounts while logged in?
I would love for it to show all organizations that i have access to, and change between them
What you are looking for is already provided by the AWS and it's called 'AWS Landing Zone'
Using Landing Zone, you can spin up multiple AWS accounts, and log in using one credential (Ex: your existing AD credentials)
SSO
Accounts
If you are new to this, I suggest looking at this AWS Tutorial to get an idea about it.
I am totally newbie with AWS, my first project with it.
I was trying to deploy my Django app with Elastic Beanstalk, using CodeCommit, following a tutorial. I was getting an error while trying to connect to the repo. Searching around that error, I got to the conclusion that I probably needed to enable AWSElasticBeanstalkFullAccess policy for my user. However, before doing that I 'detached' the first (and I think the only) policy that I had attached to my account. I think it was 'AdministratorAccess' or something similar (the first option in a large policies list). I just wanted to fit my user to the tasks that would be required and I interpreted that having admin privileges is not safe. Later I read that I should have created a new user with no root privileges, and work with that new user on a daily basis. I promise I will do that the next time.
So I am locked right now. I have just one user with privileges for doing absolutely nothing. I cannot even purchase development support (29$/month), to solve this situation... I don't know what to do. I could forget that account and open a new one, but I think there must be something I could do.
I tried searching for almost 2 hours, but I couldn't find anything that could work for me. I repeat that I am completely newbie on AWS and probably I didn't use the correct words in my searching process.
Any help will be appreciated. Thanks in advance.
Ok, finally solved. I explain.
While following the tutorial, I signed up AWS and created a user called 'username' for the deployment process in Elastic Beanstalk. I thought the user I created following the tutorial was my current user in AWS, but (fortunately) it wasn't.
I logged in with the 'username' user and detached the AdministratorAccess policy from that user, so the user has privileges to do nothing.
After some more reading, I found that if you login to AWS with your email (not the 'username'), you log as the root user. That allowed me to attach the correct policies to the user.
Here the difference between IAM users and root user:
From IAM users docs:
An IAM user with administrator permissions is not the same thing as the AWS account root user.
From root users docs:
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
I have a lot to learn around AWS, but I hope my story helps somebody...
I'm looking for something that can programmatically spin up instances for other AWS users after oauth. Is there something like this that Amazon provides? So they can just login with AWS account and then I can make AWS calls on their behalf.
Is there anything like this out there?
There's no logging in here. You need a cross-account role, supplied by the owner of the other account.
There is nothing like this.
It would have massive security implications.
Note that the primary entity in AWS is not the user, it is the "account." Accounts have users, and those users can only do what the account has authorized them to do.
For one AWS account ("mine") to allow another AWS account ("yours") to perform actions on behalf of my account (technically, not on behalf of "me"), I have to explicitly give you permission to do so, via IAM. One solution is to create a role with the necessary permissions and delegate access to you.
But this is unlikely to be something a well-informed user would permit, since you could easily run up substantial expenses for the user. Allowing such external access would not be a good practice.
There is, however, a way for users to launch your software on EC2 and optionally pay you a license fee billed on your behalf by AWS, through the AWS Marketplace, which is oriented towards a one-click experience for the user.
I have domains, instances, and buckets open on my AWS account - some are running databases on them.
I can't pay monthly for all of these services, because some of them aren't my own - I did them as work for others. And rather than going through the hassle of transferring the compute and database to another instance on another account, I'd like an IAM user to pay with his/her credit card for the services he owns.
Can IAM users pay monthly for services on my AWS account? If so, how?
No. There's no mechanism for what you want.
You may be interested in Amazon DevPay, which is sort of like what you're asking for. But I think you're doing contract work for individuals and DevPay is aimed more at providing an AWS-like service atop AWS and selling it to other developers.
The other direction is to make your clients create an AWS account. If you want to be fancy, you could use Consolidated Billing to create a sub-account under your control but billed to the customer. I think this is the best fit for consulting work, but getting there from your current setup will be painful.
There are some services (S3, ..) where you can let the client pay per call, bu for the rest I believe that your account is only yours. What I do is presenting the detailed billing and I let the company reimburse the costs.
Maybe you will have to migrate the environment. If your clients are not proficient aws users, you may want to build a cloud formation script that would enable them to start and access the environment in a few clicks..
G.