I have another PC which has AWS CLI setup. I can still access the account and when I do aws s3 ls it lists all the buckets that I have. However, this is not connected to my current AWS root account. I don't know which account this AWS CLI credential belong to
Is there any possible way to recover or a hint so I can get the email address of the root account this CLI profile associated with?
I have tried aws sts get-caller-identity but I can't still figure out what my root email is
Edit: I found a user that I can sign in to the web console, but is there any way to recover the root's email address?
I have tried live chat with AWS billing and account, but they are unable to help.
In summary my situation is:
I have an account with access to AWS CLI and web console
This account is not the root account
How can I recover my root account?
If your AWS accounts are attached to an AWS Organisation, you can also see the aws root email address in the OU screen in the tree view:
https://us-east-1.console.aws.amazon.com/organizations/v2/home/accounts
This should list the root email of all of your Organisations associated accounts.
you can recover the root email, by creating an Organization if the account is not in Organization yet.
it will show the account's root email then in the Organization interface.
You can get the account id of your credentials with STS.
With AWS IAM CLI you can get the users which you can try to login with. It might be that a email address is used as username
To answer my own question, no it is not possible to recover the email of the root account for security reason
Not even AWS account support is able to help. I'm not sure if it can be escalated somewhere, but I can imagine the process will not be straightforward and taking into account it's a personal account, I don't think it's worth it
So my advice to those having the same question:
If you have a non root user with admin privilege, disable all running services to avoid incurring future charges
simply create a new account
I know it's not the ideal solution, but I don't think there's any other way
Related
I have total 600 users in the aws congnito user pool in my old aws account , and i want to move/migrate all the users to my new aws account. It is possible to migrate aws congnito users from one aws account to another.
Please Help Me.
I checked through every document linked to Congnito, but I was unable to find a document for moving Congnito users between AWS accounts.
You should consider to use cognito-backup-restore npm tool. It's easy to use and oriented to What you require, but there are some important points to take into account:
You need the AWS CLI and security credentials installed and well configured locally, preferably use IAM roles to access Cognito.
You're backing up users from Cognito user pool to a JSON file locally, so do it in a safe environment and remove the file after restoring the backup.
There is no way of getting passwords of the users in Cognito, so you may need to ask them to make use of ForgotPassword to recover their account.
I want to use aws s3 on my laravel project , for this i created a bucket on s3 and also created IAMUSER and give it "S3FullAccess" permission but it create user with some error, access_key not created...
I use my vocareum account credentails (found on Account details button) but laravel gives an error "Invalid access token".
please help...
e
On AWS Educate Starter Account you can't create access keys for IAM users. From their docs:
You can create users, but cannot associate login profile or access keys for them
The AWS Educate accounts have a lot of limitations and they just barely allow to do what you need to do in your classrooms.
It appears that the user you are logging into AWS as is not an administrator user, or certainly lacks some administration permissions.
I'm not familiar with Vocareum but it seems to be some sort of learning management system - I presume you are using an AWS account that they control, which would explain the lack of privileges. If that is the case, and it is their AWS account that you are accessing, then you will need to raise a support case with them.
If this is your account, and you created this user, then you need to log into the account as the root user you created when you configured your AWS account and use it to create an access key for this current user.
I am trying to find a api to know the cloud account owner email address in case of aws cloud account . can some one help ? i see a api for the case where account belongs to aws organisation , my requirement is ,I need the api for stand alone aws accounts , any help is highly appreciated.
Currently it's not possible to use programmatic methods to access email address of Root user of a standalone AWS account. You must log in to the console using Root credentials to view or update the email address.
Can someone help me to understand about service accounts ? how can we check using AWS CLI?
Here is the description from the official documentation:
An IAM user is a resource in IAM that has associated credentials and
permissions. An IAM user can represent a person or an application that
uses its credentials to make AWS requests. This is typically referred
to as a service account.
Here is the sample code
import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")
users = client.list_users()
for key in users['Users']:
print key['UserName']
The notion of a 'service account' is not an AWS thing. In IT generally, it's a user account specifically set up with long-term credentials that a server can use (as opposed to a person).
This is a bad thing. You don't ever want long-term credentials on your servers (and certainly not in your code or configuration). You should use auto-rotating credentials, such as available via IAM roles.
The following snippet is from AWS docs, if sharing credentials is not the right way. Does it involve additional charges for adding IAM to support multiple developers.
Without IAM, if you want to enable other users to access your AWS
resources, the only way is to share your AWS account credentials. We
do not recommend this approach. Your account credentials enable access
to all AWS resources associated with your account, including your
billing information. For this reasons, we recommend that you never
share your AWS account credentials.
There is no additional charge for IAM service. Please see following link: http://aws.amazon.com/iam/#pricing
To confirm it once again, you can check AWS monthly calculator at following link:
http://calculator.s3.amazonaws.com/calc5.html. I don't see any charges for IAM service at here as well.
What that text is explain is that any user who has access to your account email login can change ANYTHING on your account. They could change your password and lock you out. There's no easy way to recover your account. A person from the billing department could accidentally or maliciously terminate your servers or delete S3 data. They're warning you that its not a good idea to give anyone but yourself access to the email login.
With IAM you can enable almost all the permissions that the email login has. The exceptions are changing the account credentials and personal information. Each user will be provided with their own username and password for access to the console and can be assigned a new set of Access Keys or x509 certificates if required.
There's no cost or downside to using IAM and its highly recommend for security reasons.