I have total 600 users in the aws congnito user pool in my old aws account , and i want to move/migrate all the users to my new aws account. It is possible to migrate aws congnito users from one aws account to another.
Please Help Me.
I checked through every document linked to Congnito, but I was unable to find a document for moving Congnito users between AWS accounts.
You should consider to use cognito-backup-restore npm tool. It's easy to use and oriented to What you require, but there are some important points to take into account:
You need the AWS CLI and security credentials installed and well configured locally, preferably use IAM roles to access Cognito.
You're backing up users from Cognito user pool to a JSON file locally, so do it in a safe environment and remove the file after restoring the backup.
There is no way of getting passwords of the users in Cognito, so you may need to ask them to make use of ForgotPassword to recover their account.
Related
I want to use aws s3 on my laravel project , for this i created a bucket on s3 and also created IAMUSER and give it "S3FullAccess" permission but it create user with some error, access_key not created...
I use my vocareum account credentails (found on Account details button) but laravel gives an error "Invalid access token".
please help...
e
On AWS Educate Starter Account you can't create access keys for IAM users. From their docs:
You can create users, but cannot associate login profile or access keys for them
The AWS Educate accounts have a lot of limitations and they just barely allow to do what you need to do in your classrooms.
It appears that the user you are logging into AWS as is not an administrator user, or certainly lacks some administration permissions.
I'm not familiar with Vocareum but it seems to be some sort of learning management system - I presume you are using an AWS account that they control, which would explain the lack of privileges. If that is the case, and it is their AWS account that you are accessing, then you will need to raise a support case with them.
If this is your account, and you created this user, then you need to log into the account as the root user you created when you configured your AWS account and use it to create an access key for this current user.
Can someone help me to understand about service accounts ? how can we check using AWS CLI?
Here is the description from the official documentation:
An IAM user is a resource in IAM that has associated credentials and
permissions. An IAM user can represent a person or an application that
uses its credentials to make AWS requests. This is typically referred
to as a service account.
Here is the sample code
import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")
users = client.list_users()
for key in users['Users']:
print key['UserName']
The notion of a 'service account' is not an AWS thing. In IT generally, it's a user account specifically set up with long-term credentials that a server can use (as opposed to a person).
This is a bad thing. You don't ever want long-term credentials on your servers (and certainly not in your code or configuration). You should use auto-rotating credentials, such as available via IAM roles.
I am creating shortlived users on AWS on the fly and while debugging why these newly created logins tended to fail with an InvalidAccessKeyId realised that just adding a small sleep solved the problem.
xref How long should I wait after applying an AWS IAM policy before it is valid? re: time for consistency throughout AWS
My follow up question to the above: is there a way to synchronously create a consistent IAM policy? Or at least a way to know they are ready to use?
Amazon IAM is not designed for providing short-lived credentials. You should create IAM Users for long-lived requirements, such as logins for humans and logins for persistent applications.
An IAM User should not be used for application login purposes. For example, if you are creating an Instagram-like application, you should maintain your own database of users or utilize Amazon Cognito for user authentication.
So, how do you then grant users access to AWS resources? For example, if you have an Instagram-like application and you wish to grant application users the ability to upload/download their pictures in Amazon S3 but want to restrict access to a certain bucket and directory?...
The answer is to create temporary credentials using the AWS Security Token Service (STS). Credentials can be created with a given policy for a specific period of time. These credentials work immediately. For example, if an Instragram-like user logs into the app, the backend app could generate temporary credentials that allow the user to access a specific directory within a specific Amazon S3 bucket for a set period of time (eg 15 minutes). These credentials are then passed to the mobile app/web browser for direct access to AWS services.
I've been looking in to getting the AWS (web) console hooked up to an AD or ADFS setup for managing users. It was reasonable easy to get working with a SAML Identity Provider in IAM and some existing ADFS infrastructure.
The problem is that users that authenticate that way, as opposed to normal AWS user accounts, don't have any way to have associated access keys so far as I can tell. Access keys are a key concept for authenticating stuff such as the AWS CLI, which needs to be tied to individual user accounts.
What are the workarounds to allow a user authenticated via a SAML identity provider to still be able to easily use the aws CLI? The only thing I've come up with to far is some hacky crap that would proxy the aws cli command, request temporary 1-hour credentials from the aws STS service, put them in the aws credentials file, and forward the command to the normal AWS cli. But, that makes me want to throw up a little bit; plus, I have no idea if it would work if a command took over an hour to complete (large s3 uploads, etc..)
Suggestions? I would try the official Directory Service AD connector, but my understanding is users still just assume IAM roles and would ultimately have the same problem.
https://github.com/Versent/saml2aws was created to address this, and has a vibrant open source community behind it.
I've had success with aws-adfs for AWS CLI via ADFS
The repo owner is currently adding support for DUO MFA as well.
It works by authenticating the user to the same page you'd use for console access then scraping the roles available. You choose a role and then aws-adfs sets the default user to the credential set needed for sts access.
After the default user is set you can cli like normal: aws s3 ls
https://github.com/venth/aws-adfs
I have an Amazon Web Services account which will be used to host the backed of an app. The backend uses PHP/MySQL and will most likely use an EC2 instance and RDS. I have my own account which has access to everything. I need to create an account for a developer to put the backend on AWS but I don't want them to have access to anything except what they need. I know how to create IAM users and Groups but I don't know which permissions to grant the developer. Under Select Policy Template there is a Power User template, is that good for a developer? Has anyone done this before?
The Power User Access template in AWS Identity and Access Management (IAM) grants permission to do ANYTHING except using IAM. A user with this permission can view, create or remove any resources in your AWS account, but they could not create new users or modify any user permissions.
It is recommended that you only give people the least amount of privilege required to use AWS, so that they do not intentional nor accidentally do something unwanted. However, if you do not have enough knowledge of AWS to know what functionality is required, you will most likely need to trust the developer to configure the system for your needs.
A few tips:
Only give them access via an IAM User -- never give them your root credentials
If you don't know what permissions are required, then "Power User" is at least safer than "Administrator" since they cannot edit IAM settings
When they have completed their work, revoke their access so they cannot create any more AWS resources
Determine whether you also wish to revoke access to the EC2 instances (you'll have to do this on the instances themselves)
You may need to define some roles that will be used with Amazon EC2 -- these are defined in IAM, so the developer will not have permission to create the roles himself
Ask the developer for documentation of what he has deployed
Turn on Detailed Billing to identify what AWS charges you are receiving and check them against the documentation
Turn on CloudTrail to activate auditing of your account (it is activated per-region)
Alternatively, you could do all the AWS configuration (launching an EC2 instance, creating the database) and only let the developer login to the EC2 instance itself. That way, they would not need access to your AWS account.