I have SSO configured for my AWS organizational accounts. Have created two accounts(one is dev and the other is prod). How do i restrict AWS CLI Access for my prod accounts SSO users. Tried looking up in their documentation, but couldn't find any.
Can someone help me?
The AWS Command-Line Interface (CLI) can be configured to connect via SSO and assume an IAM Role. It can then be used to make API calls according to the permissions in the chosen IAM Role.
It is not possible to 'restrict' the AWS CLI. Instead, you would restrict the permissions in the IAM Role that is being used.
See: Configuring the AWS CLI to use AWS Single Sign-On - AWS Command Line Interface
Related
I have multiple roles in AWS and have to switch between them multiple times a day.
Can you please suggest a good solution without doing the entire authentication cycle?
You can store multiple roles in the ~/.aws/credentials file. These can be activated via the AWS CLI by using --profile.
You can also put roles in specific profiles and the AWS CLI will assume them from a base set of credentials.
See:
Configuration and Credential File Settings - AWS Command Line Interface
Using an IAM Role in the AWS CLI - AWS Command Line Interface
I want to run a python project on AWS lambda, but the API (STS:AssumeRole to generate federation URL) which I am trying to call only supports as an IAM user with long-term credentials. It is working on my machine with my IAM keys, but how can I make it run on AWS lambda?
You need to create a role that has similar permissions like your local user. And you can attach the role to your lambda to utilize the STS service.
I want a run a python boto3 scrip from my local machine using Pycharm. I am having config file setup in my machine that contains different roles based on the accounts. Say for example I want to execute the scrip using dev-power user that is included in the config file. But I am getting the below error:
"botocore.exceptions.NoCredentialsError: Unable to locate credentials"
Could you please let me know the process by which I can do this from local IDE?
You cannot use IAM Role to access AWS services from your development environment. An IAM Role can only be attached to an IAM User or an AWS service and cannot be used for programmatic access.
For programmatic access to different AWS services you will need to create an IAM User which will have access to required services or has a role attached to it with specific policies.
Reference :
AWS IAM Roles
AWS IAM Users
IAM User provides "access-key" and "secrete-key" which can be configured on your machine to access the services from your development environment.
Reference :
AWS Access Credentials
Setting up your AWS credentials
I have an AWS root account and I created a IAM user with Administrator policy attached. The problem is that when I make some operations like aws ec2 create-key-pair in the aws-cli, I got UnauthorizedOperation error. But if I sign into the management console using the same IAM user, I can create a key pair with no problem.
I double checked my access key id and secret access key is right. I even re-created these and configured in aws-cli to make sure I am using that user account with admin permissions. None of these worked
Is there any setting I'm not aware of that enables aws-cli access permissions?
=============== below is latest update ================
I checked my user info with aws sts get-caller-identify, and it shows my company's account id. I tried to run aws configure again and followed by aws sts get-caller-identity, it still shows that im using my company's account. How do I switch user from CLI?
In case this helps anyone, the issue for me was that my AWS account used MFA. I never considered you'd have to do this on the command-line too. Here is a guide from Amazon on the subject:
How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
This is an incredibly big pot hole to step into... but there is a precedence of where aws cli looks for credentials.
IAM credentials not found on AWS CLI
The answer of the question here explains it throughly.
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser