steps i am following
I have first created an IAM user
We have same user in default namespace
aws quicksight register-user --namespace default --identity-type QUICKSIGHT --user-role ADMIN --region us-east-1 --email=jill#foocompany.com --user-name jill --aws-account-id 163
-created a custom namespace
aws quicksight create-namespace --aws-account-id 163 --namespace FooCompanyNamespace --identity-store QUICKSIGHT
registered a user with IAM on the custom namespace.
aws quicksight register-user --namespace FooCompanyNamespace --identity-type QUICKSIGHT --user-role AUTHOR --region us-east-1 --email=jill#foocompany.com --user-name jill --aws-account-id 163
Afer registering this user in custom namespace - we are not able to access the quicksight using quicksight account name as - Custom namespace(FooCompanyNamespace). we are only able to login default namespace .
Main question?
Should IAM be different for each user? or IAM can be same for single user but for 2 name spaces
We are getting created message but we are not able to login custom namespace and when we check using CLI the user is registered.
We want to achieve multitenancy in aws quicksight such that there are two namespaces namespace1 and namespace2. We want that user1 can login to namespace1 with the access of admin and same user can login to namspace2 with reader access.Please suggest the correct way to achieve multitenancy.
Related
We have SSO configured in the main AWS account and we log in to the child AWS account using that SSO link. Now we have created an EKS cluster in the child account but we are not able to view the Node and other resources due to aws-auth config settings. How to check the current role we have assumed in the child account so that we can update the same in the aws-auth configmap of the EKS cluster so that we would be able to see them?
Use the aws cli,
aws sts get-caller-identity --profile <profileName>
will return the assumed role in the form off
"arn:aws:sts:AccountId:assumed-role/RoleName/SSOemail"
and pass the RoleName in --role-name parameter as shown below, this should give you what you ask for.
aws iam get-role --role-name RoleName --profile profileName
Adding some additional info on setting up sso login via your localhost using aws cli, essentially you just need to have aws cli and a configs file that has entries, you can create the configs file on your host and then source it using env variable.
ConfigFile:
[default]
region = region
output = yaml
[profile myProfileName]
sso_start_url =
sso_region =
sso_account_id =
sso_role_name =
region =
output = json
and set env variable to the path of your file that holds the profiles,
AWS_CONFIG_FILE=/path/to/the/config/file
then you can login to you account using
aws sso login --profile myProfileName
and then you will be able to execute the above commands, this is a very neat way to manage and troubleshoot your organization accounts via a single point.
We use "aws-azure-login" tool to provide SSO login to AWS console. Currently our team have got multiple roles across multiple profiles
Below is sample config
[default]
region=eu-west-1
azure_tenant_id=xxxxxxxx
azure_app_id_uri=https://signin.aws.amazon.com/saml
azure_default_username=my_email_or_id
azure_default_role_arn=
azure_default_duration_hours=12
azure_default_remember_me=true
[profile dev-role-admin]
region=eu-west-1
source_profile=default
role_arn=arn:aws:iam::1234556789:role/my-dev-role-admin
color=ffd600
But when we login
aws-azure-login --profile dev-role-admin
Output is below
##
Using AWS SAML endpoint https://signin.aws.amazon.com/saml
Role: (Use arrow keys)
> arn:aws:iam::12345568898:role/DEV_AWS_dev_AppCreator
arn:aws:iam::12345568898:role/DEV_AWS_prod_AppCreator
arn:aws:iam::12345568898:role/DEV_AWS_dev_ReadOnly
arn:aws:iam::12345568898:role/DEV_AWS_dev_Executor
.... about 60+ entries
the prompt comes with around 60+ roles across various AWS accounts and its quite hard to navigate them down using arrow keys
So just checking if there is any way we can pass the relevant role into the CLI command?
ideally something like below
aws-azure-login --profile dev-role-admin --role arn:aws:iam::12345568898:role/DEV_AWS_dev_ReadOnly
How to use Cloudtrail to get who created IAM user , how to get this from logs
If the IAM user was created inside the last 90 days, you can find who created the user using CloudTrail Event history.
Using the AWS CLI:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser --region us-east-1
Using the Console: Go to Event History in CloudTrail Service, choose the EventName filter with a value of CreateUser. You have to use the region us-east-1 to view the events.
If the IAM user was created outside the 90 days time window, you can still find out who created the user if you have a trail enabled in CloudTrail. You can use Amazon Athena or some other method to search the log files created by CloudTrail in S3.
References:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html (Note the disclaimer for global services post November 22, 2021)
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
I want to create fully automated creating of new roles in AWS and connecting this with Snowflake. To connect Snowflake with AWS we must edit trust relationships and paste their STORAGE_AWS_EXTERNAL_ID.
Is there any way to do this fully automated?
How about creating a batch script using AWS CLI et SNOW SQL following the steps provided in the Snowflake user guide.
Create your AWS IAM policy and get your policy's arn
Create an AWS IAM role linked to this policy and get the role's arn
Create the snowflake storage integration linked to this role and get STORAGE_AWS_IAM_USER_ARN and STORAGE_AWS_EXTERNAL_ID from DESC INTEGRATION command.
Update the AWS IAM policy with previous values (i.e snowflake's user arn and external id).
I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.