I lost access to my AWS account due to loss of my phone with Authenticator app, but I still have access to console. The problem is that somehow the phone number in my account was incorrect and I can't restore access automatically. Support said there is a typo in number and if I have another user with full access, I will be able to change it to correct number and proceed to restore my account via MFA troubleshooting form.
So, the question is how to create that user?
I already did this:
aws iam create-login-profile --user-name VeryAdmin --password verypassword
aws iam add-user-to-group --user-name VeryAdmin --group admin
And successfully logged in to console, but still has no access to changing the number. The article in documentation said that the user should have access to this:
The IAM user enabled on the AWS account has administrator access permission.
The IAM user has access to the AWS Billing console.
No idea how to correctly add them via CLI
Unfortunately to change any details belonging to your account you will need to be logged in as root user:
Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials
https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
Related
im trying to get eb cli working.
in my cmd i do
>eb init
which opens up a new terminal, which then soon asks for aws-access-id and aws-secret-key
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): xxxx
(aws-secret-key): xxxxxxxxxx
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
im not 100% sure whether aws-access-id referes to my username, the email address that created it or user id....
same goes for the aws-secret-key , im assuming right now that its the password for the account not some 1 off secret key.
I have used the console login link to register the iam account and change the password.
I have set the permissions of this user group to be AdministratorAccess
##################################
what is aws-access-id:
my username?
the email address?
user id?
is there anything that looks wrong?
You need to use Access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
If you have access to IAM and have sufficient privileges you can generate such keys for yourself. If not you need to contact your AWS administrator.
Please take a look at Managing access keys for IAM users for more information.
I'm tracking how to send an Email Using the AWS SDK for Python (Boto).
At the AWS Developer Guide using-credentials page I read that:
For security best practice, use AWS Identity and Access Management (IAM) user access keys instead of AWS account access keys [emphasis added].
Then at the Managing Access Keys for IAM Users I am eventually led to this section and I duly confirm using
aws iam list-access-keys
that I have just created (in JSON form):
{
"AccessKeyMetadata": [
{
"UserName": "My_User_Name",
"Status": "Active",
"CreateDate": "2018-09-03T00:43:37Z",
"AccessKeyId": "JRUFKDHUWHE8DD495CHD"
}
]
}
but I lack clarity about whether this identity is the "AWS account access keys" that I was earlier warned does not fall in the "security best practice".
How do I create an IAM identity (user access + password) for sending email through SES and boto (while eliminating the chance I am exposing the entire AWS account)?
Ranting (and a constructive suggestion to AWS staff writers, if here): Specific branding would help. At Ikea I might order a chair or a table with the meaningless name Fjorstuvstok, but I know with certainty that I am ordering the chair I want.
The AWS account access keys are the ones owned by the root account user. To check what these are, you need to know your root account user name. This can be checked using the aws cli using the AWS root credentials, or loging in with your root account credentials to the AWS Console and clicking "My Security Credentials" under your username in the top right corner.
Assuming you use the cli, make sure you've configured the root credentials in ~/.aws/credentials. Then run:
aws iam get-user
{
"User": {
"UserName": "my_root_user_name",
"PasswordLastUsed": "2018-09-03T06:40:38Z",
"CreateDate": "2017-03-01T08:53:36Z",
"UserId": "9XXXXXXXXXXX",
"Arn": "arn:aws:iam::9XXXXXXXXXXX:root"
}
}
This will provide you with details of your root user. This username can then be used to query for access keys:
aws iam list-access-keys --user-name my_root_user_name
If any of the keys listed from this result are being used for SES, then that's bad news. AWS reccomends that you use Access Keys assigned to IAM Users (non-root).
The AWS account access keys mean the Root account access /secret keys of your AWS account. When you register yourself with aws using your email, the account created is Root account. There is key associated with that, which needs to be removed. (As this is Root account, it provides unrestricted access to all AWS services. Check AWS Account Root User Credentials vs. IAM User Credentials
The warning suggested to use IAM user access keys. So you can create IAM user in your aws account and create associated access key id and secret access key and configure that on your machine from where you are running your code. ( This is not good practice in higher deployment environment. If the machine gets compromised then access key will be exposed)
As its unclear how you are running your application code (from ECS or EC2 or AWS Lambda), You should create IAM role to grant access to SES from where you are going to run your code. This will avoid exposing IAM access key Id and Secret access key from your application code / machine.
I want to manage the my AWS environment using PowerShell. We are getting access through IAM roles. I am facing trouble to generate the Access key & secret key for my IAM role. Can someone guide me how can i generate these keys.
An IAM Role can only be used by an IAM User. This is because the User needs to authenticate to AWS to prove that they are that user. This will then provide IAM User credentials.
If you then wish to use a role, you can use the User credentials to call Use-STSRole, which will assume the role and return a set of credentials associated with the Role. (Note: The credentials will expire after a period of time, typically one hour.)
For more details, see: Switching to an IAM Role (Tools for Windows PowerShell)
You do not generate IAM Access Key / Secret Key for roles. AWS generates these for you and makes them available in the instance's metadata.
The AWS Tools for Windows PowerShell will automatically extract the access key / secret key from the instance's metadata if you have installed PowerShell and the AWS Tools correctly.
This link will provide more information about PowerShell and IAM Roles:
IAM Roles for EC2
[Update after new comment]
If your goal is to generate IAM access keys for a new user, login to the AWS console, go to IAM, go to users, Add User, click "Programmatic access", then Set permissions for the user and finish by creating the user. On the next screen will be the access keys. You need to download (or copy) the Secret access key as it will NOT be shown again.
For an existing user, click on the user, click on the "Security credentials" tab, then click the "Create access key" button. Copy or download the keys. Note: You cannot access previously created access keys. If you have lost the secret access key, then you have to generate new ones.
Managing Access Keys for Your AWS Account
According to AWS Doc there is a way through API:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" –v http://169.254.169.254/latest/meta-data/iam/security-credentials/*role_name*
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
While creating Users in Cloud. In IAM, Password policy. If you set password policy in inner sub user then it affects to parent user as well.
How is it possible ?
Example . I created user called xyz under root. I will login in xyz and change the password policy. But it affects Root user password policy as well.
The password policy that you set is for the account, not for a specific user and not for a group of users. It applies to the passwords of all IAM users. It does not apply to the AWS root account password.
How would you switch to a user in the AWS console?
I've set up an IAM policy for a user and I'd like to test whether they're working or not.
I've tried switching roles http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
using the account id from the User ARN (e.g.
arn:aws:iam::<account id>:user/<username>
in
https://signin.aws.amazon.com/switchrole
using:
Account: <account id>
Role: test_user
Display Name: Test User
then clicking Switch Role but I get:
Could not switch roles using the provided information. Please check your settings and try again. If you continue to have problems, contact your administrator.
Note: I am an Admin with full access.
You cannot use the Switch Role functionality to switch to a User.
You have two options:
Login as the User you wish to test, or
Create a Role with the same permissions, switch to the Role, then test
The easiest is to simply login as the user you wish to test. However, this can be a poor security practice because you are using another person's account and any actions you perform would be recorded against that user in Amazon CloudTrail (audit trail).
Alternatively, you could create a new IAM Role and assign exactly the same permissions to that Role. You would also need to assign a Trust Policy to the role to permit it to be used by you (your IAM User). You can then switch to that role in the console. This will work, unless you have any policies that specifically reference the User you wish to test (which will not recognise your Role permissions).
The best way to do this is fully log out of the AWS console. Or you can use a different browser so you can be logged into both at the same time.