So, I am working on a project where I will need to use tons of services that AWS has to offer like S3, EC2, Route53, Textract, RDS and some more. However, during the course of the project, I am going to be collaborating on the project with my team.
I know I would set up an IAM User for everyone on the team. But, how do I assure that everyone has access to the services mentioned above so that we can work on the project together?
Great question. Make sure you have one root account and enable MFA on it. Then go to IAM and create a user yourself. Try to change the 12321312.signin.aws.com link to yourTeamName.signin.aws.com for easy logins too.
Once you create a user for yourself, go to the side on IAM and click groups. Create a new group called "admins". Click next and then attach the administratorAccess policy. AWS Img 1 Then click next. Then save it. Then click on your group, and then click "add users to group" and select the user account for yourself that you just made.
Now, log out of the root account and log into your name#projectNameRootAccount and you can do everything that you did on your root. Only difference is you are not coding on your root and it is safe from hackers.
Next.... to make it extremely simple.... You could just create a user under IAM for each of them and add them to your admins group.
Best practice would be to give them less privileges but if it is an informal thing.... not a big deal. I would consider clicking on their IAM names from time to time and click on the access advisor tab to see what services they are actually using. If they are only using "dev" type things, you can see that pretty clearly within a week or so and then you can go and create a new group for "devs" and then just give them the policies you see under "access advisor (when you click on their IAM name)".
Then you can take them out of the admins group and give them the access that they truly need.
Thanks and good luck with AWS. It can be complicated haha.
Related
I have used Google Cloud for a while for my own projects. But this time I would like to deploy one of my customer's project to it. What is the best way to manage the fees?
Creating the project in my GC account and granting access to the customer to see the fees and send them invoices.
Creating the project in my GC account and somehow set their billing account to my project.
Creating the project in their GC account and ask for permissions to manage it.
Something else.
Which one is the correct solution, or what do you use? If the second solution is the good one, how can I achieve it?
Thank you!
Let's review each option and consider everything from both you as the developer and the client who owns (pays for) the project. Think security and responsibility (legal, financial and ethical) when making these decisions.
Option 1:
Creating the project in my GC account and granting access to the
customer to see the fees and send them invoices.
I would create a separate project for this customer and not mix their work into a project that has your own work. Granting the customer access to the billing information for a mixed account and then trying to separate items might take more time than it is worth. I don't recommend this method.
Option 2:
Creating the project in my GC account and somehow set their billing
account to my project.
The customer will need to grant you access to their billing account which I do not recommend. I would not grant access to my billing account to a third party. They could attach any project they want I would get the bill. I don't recommend this method.
Option 3:
Creating the project in their GC account and ask for permissions to
manage it.
This is the best option. The project and billing are under the client's control and the client grants you the required permission such as Project Editor to your user identity. Project Ownership and Billing responsibility remains with the client and the client can grant and remove access to you anytime they want easily without a ripple effect of additional work.
This all depends on your preference, however, I would go with the second one. You can create the project for them, and they can create the billing account. You then can modify the billing account on the project you created by following the steps over here.
Nevertheless, as I mentioned this is all your preference so you can use any of the other approaches you mentioned too.
Hope you find this useful.
I lost my access to my VM instances. I am a student at the University of Melbourne, thus I tried to use GCP with my google account provided by the university (***#student.unimelb.edu.au).
I created my VM instances and I am still able to SSH to my VM, however, I lost my access to it via GCP Dashboard. And here goes the error code:
You are missing at least one of the following required permissions:
Project
resourcemanager.projects.get
And when I checked API with troubleshooter, it says
You do not have the required permissions to make this request. Please
contact your organization administrator.
I don't think I have done anything concerning administrative problems, why did I lose control of my instances?
Your permissions have been limited. like the message say, try to contact your University administrator to know more. If your project is billed to the University, University is organisation admin and can do anything on its own domain.
Is your VM respected the rules of your university? What was its size? did you mining on it? did you install unauthorized software? At administration level, Google provide a lot of metrics and alert about abnormal resource usage. Maybe you broke a rule.
Are you sure you had permission before creating the instance, to view the instance ?
With the error you are talking about maybe you didn't have access from the start itself. You would have been given access to create, but not to list VMs. I found the access-control of GCP very complex, you can have access to many things through CLI, but to get the same through console, you need to be granted more accesses.
Ask your admin to provide your account, one of the viewer or editor or maybe browser roles from here:
https://cloud.google.com/resource-manager/docs/access-control-proj
Or may be as guillaume suggested you might have broken a rule ;)
I have been messing around Amazon Web Services(AWS) with one single account for quite a while. I created and removed several EC2 instances, Lamdbda functions, NAT gateways etc.
Through all those, I created too many new roles and now, after settling down the stuff I ended up with a garbage of IAM roles -there are many of them.
To clean up, I want to find the roles that are not attached to any kind of item, resource or user (or idle for a period maybe, etc.) and remove them.
I searched the net but generally there are docs to reduce permissions of a particular role, which's fine but not the thing I want.
Login to AWS Management Console
Select your IAM role
Click the "Access Advisor" tab
The contents of this tab will display the last access time for each of the various services (S3, EC2, etc.)
Delete the role based on the last access time. Active roles should usually show recent access time
To be able to do it programmatically see https://stackoverflow.com/a/46815052/7983309
I'm currently creating an open source web interface for a very CPU intensive task that's making use of other open source projects. Because it is very simple and I want to keep it open source, I don't want to bother with a revenue scheme supporting it. My plan currently is to host the site in an S3 bucket and have some simple lambda functions managing the execution delegation to the client his AWS account.
My question is, is it possible to grant access to somebody his AWS account, similar to how it works with OAuth 2.0. In an ideal world, I'd like them to see a big "authorize" button redirecting them to AWS, listing the permissions and having a confirm or deny button. Trust issues aside, this is the only resource I could find and it looks quite cumbersome for somebody to authorize my app which in essence will only perform computations on their AWS EC2 account.
Actually, cross account access using IAM roles is absolutely the best way to do this. The docs have all the info you would need. It can be very simple for your user. The set up instructions for Spotinst, a third party AWS service provider, demonstrate how simple it can be. They have it in four steps:
Connect Spotinst to your Cloud Provider:
Click on the "Open template in Cloudformation" button and follow the instructions. Make sure to not refresh or leave this page until
you save your credentials.
Paste the Role ARN that was created.
Click on the "Connect account" button.
If you try it out I think you'll find it to be even easier than adding oauth to your service.
Is it possible to grant logina#foo.com full access to all services in loginb#foo.com for AWS Web Services? I have a couple different folks working on my team and I wanted to make it easy for them to do what they need to do in our sandbox.
Thanks!
If you are using something#foo.com to log into your AWS account, you need to stop doing that right now, and set up an IAM (Identity and Access Management) account instead.
There is a best practices document here - you want to look at the section under "Manage AWS Accounts, IAM Users, Groups, and Roles" - but in a nutshell:
Use 2 factor authentication on the root account
create IAM accounts for daily use. If you grant admin access to an IAM account, it should probably be set up with 2 factor authentication as well
turn on CloudTrail. Yes, it will cost you a few cents a month. But if you ever need it, you'll really, really wish you had it.
Never, ever, ever check access keys and secrets into a public repository. (The cost for violating this one will be around $5k/hour.)
set up a billing alarm. Estimate what you'll be spending a month, and set up alarms at 25%, 50%, 75% and 100%. That way if something does go wrong (or you accidentally spin up an r3.8xlarge) you'll get a notice quickly.
Every account only has a single 'root', but using "Identity and Access Management" you can create and account users and grant console login and adminstrative privileges inside the AWS console.
Look under the services tab for one named "IAM".
Select 'Users' from and press the blue 'create new users' button
Add a user login name
Once the user's created
Select the user and set a password via "manage password"--without this they can't log in
Press the 'Permissions" tab for the users and select Attach policy
Give the user the 'Administrtor Access' policy.
The user should then be able to log into the AWS console with admin privs and use the API if they want