I am totally newbie with AWS, my first project with it.
I was trying to deploy my Django app with Elastic Beanstalk, using CodeCommit, following a tutorial. I was getting an error while trying to connect to the repo. Searching around that error, I got to the conclusion that I probably needed to enable AWSElasticBeanstalkFullAccess policy for my user. However, before doing that I 'detached' the first (and I think the only) policy that I had attached to my account. I think it was 'AdministratorAccess' or something similar (the first option in a large policies list). I just wanted to fit my user to the tasks that would be required and I interpreted that having admin privileges is not safe. Later I read that I should have created a new user with no root privileges, and work with that new user on a daily basis. I promise I will do that the next time.
So I am locked right now. I have just one user with privileges for doing absolutely nothing. I cannot even purchase development support (29$/month), to solve this situation... I don't know what to do. I could forget that account and open a new one, but I think there must be something I could do.
I tried searching for almost 2 hours, but I couldn't find anything that could work for me. I repeat that I am completely newbie on AWS and probably I didn't use the correct words in my searching process.
Any help will be appreciated. Thanks in advance.
Ok, finally solved. I explain.
While following the tutorial, I signed up AWS and created a user called 'username' for the deployment process in Elastic Beanstalk. I thought the user I created following the tutorial was my current user in AWS, but (fortunately) it wasn't.
I logged in with the 'username' user and detached the AdministratorAccess policy from that user, so the user has privileges to do nothing.
After some more reading, I found that if you login to AWS with your email (not the 'username'), you log as the root user. That allowed me to attach the correct policies to the user.
Here the difference between IAM users and root user:
From IAM users docs:
An IAM user with administrator permissions is not the same thing as the AWS account root user.
From root users docs:
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
I have a lot to learn around AWS, but I hope my story helps somebody...
Related
This question has been edited to indicate that I (a) went ahead and started using Cloud9 as the root user, and then (b) granted console access to the IAM user and switched to using that. Then, based on that, I modified the question that I'm asking. See the end of this question for those edits.
===================================
The documentation for Individual user setup for AWS Cloud9 is confusing. It tells me to sign in as a root user and "you can now start using AWS Cloud9." But right after that, it tells me not to use it as a root user, but as an IAM user. So I created a new IAM user for Cloud9. But I don't see how to sign in with the credentials for that.
The new IAM user has the following four permission policies applied:
AWSCloud9EnvironmentMember
AWSCloud9Administrator
AWSCloud9User
AWSCloud9SSM
I applied those four because when I was offered a list of 757 policies to choose from, those were all the ones that included "Cloud9" in their names.
The documentation mentioned above says, "Open the AWS Cloud9 console, at https://console.aws.amazon.com/cloud9/." When I click on that, I get the regular sign-in page for the AWS console:
If I sign in as the root user, I get taken to the Cloud9 homepage, which has a button for "Create environment". When I click on that, the page that comes up starts with the warning box:
AWS root account login detected
We do not recommend using your AWS root account to create or work with environments. Use an IAM user instead. This is an AWS security best practice.
Okay, so I logged out and went back to that link for the Cloud 9 console. This time, I clicked on "IAM user". Then it asked for my account ID.
I entered that, and then it asked for my IAM user name and password.
I entered the user name, but this IAM user doesn't have a password. I tried entering the access key ID, and then the secret access key, but with either of those as the password, AWS responded that "Your authentication information is incorrect."
So what do I need to do to access the Cloud9 system as this IAM user?
There's an SO question, Sign in to AWS console without password, which describes the exact same situation. But the accepted answer says to either (a) use the CLI and API, giving a link to the CLI, but the linked page has nothing about signing in, or (b) get a password from the administrator "if you think you require web console access as well." This IAM user was created without console access on purpose because the whole point of this user is just for using Cloud9 without any access to the rest of AWS.
Amazon has a page on Troubleshooting AWS sign-in or account issues, but it doesn't say anything about the issue described here.
So I'm stuck. How do I log in as this IAM user to create an environment in Cloud9?
===================================
EDIT Issue 1
While I waited for an answer here, I went ahead and signed back in as root user and started using Cloud9 to get familiar with it. When the Cloud9 Python tutorial told me to install the Python SDK:
sudo python3.7 -m pip install boto3 (Typo of "python36" corrected.)
I got the warning:
WARNING: Running pip install with root privileges is generally not a good idea. Try python3.7 -m pip install --user instead.
This suggested alternative command makes no sense because it doesn't include specifying the module to be installed. But worse than that, after issuing the warning, it did not allow me to abort the command, but went ahead and did the installation. So I wonder if I've caused any security problem in my AWS account by doing that.
EDIT Issue 2
After not getting an answer here, I thought that maybe what I'm supposed to do is give console access to the IAM user, which would generate a password for it. So I went and edited the user to do that. I then was able to sign in as that user. When I did that, I went to several services: IAM, SES, and even Support, and found that they were all disabled for lack of permissions. Then I went to Cloud9 and seemed to have full access there. So signed out, signed back in as root user, deleted the Cloud9 environment I'd created there, signed out, signed back in as the IAM user, and created a new environment there.
The reason I did not give this new user console access before is because I have two other IAM users from previous work in SES, and neither of them have console access. So I figured IAM users aren't supposed to have that. If Cloud9 is a special case in which an IAM user is supposed to have console access, whereas SES IAM users are not, then the Cloud9 User Guide should say so.
EDIT Summary
My original question of how to sign in without console access has now changed to two questions:
Have I done the right thing to solve the problem (not being able to sign in as the IAM user) by granting console access to the IAM user?
Regarding any security problem caused by the root user creating and using a Cloud9 environment, have I healed any such problem by deleting that environment, or could there be any lingering effect of that problem that deserves further attention?
I have another PC which has AWS CLI setup. I can still access the account and when I do aws s3 ls it lists all the buckets that I have. However, this is not connected to my current AWS root account. I don't know which account this AWS CLI credential belong to
Is there any possible way to recover or a hint so I can get the email address of the root account this CLI profile associated with?
I have tried aws sts get-caller-identity but I can't still figure out what my root email is
Edit: I found a user that I can sign in to the web console, but is there any way to recover the root's email address?
I have tried live chat with AWS billing and account, but they are unable to help.
In summary my situation is:
I have an account with access to AWS CLI and web console
This account is not the root account
How can I recover my root account?
If your AWS accounts are attached to an AWS Organisation, you can also see the aws root email address in the OU screen in the tree view:
https://us-east-1.console.aws.amazon.com/organizations/v2/home/accounts
This should list the root email of all of your Organisations associated accounts.
you can recover the root email, by creating an Organization if the account is not in Organization yet.
it will show the account's root email then in the Organization interface.
You can get the account id of your credentials with STS.
With AWS IAM CLI you can get the users which you can try to login with. It might be that a email address is used as username
To answer my own question, no it is not possible to recover the email of the root account for security reason
Not even AWS account support is able to help. I'm not sure if it can be escalated somewhere, but I can imagine the process will not be straightforward and taking into account it's a personal account, I don't think it's worth it
So my advice to those having the same question:
If you have a non root user with admin privilege, disable all running services to avoid incurring future charges
simply create a new account
I know it's not the ideal solution, but I don't think there's any other way
I have created a development deployment for an application using kops, kubectl, and EC2.
When I set up this deployment, I created a Kops IAM user as specified in this guide. Everything has worked fine for me managing this deployment.
I am now leaving the project for another job and have to allow someone else
to take over this deployment. I tried having them use aws configure and enter the appropriate kops IAM user creds, but the kops user still does not show up for this person when they run aws iam list-users.
What is the best way to share this IAM user with this new developer?
I have stumbled upon this guide which states I can Delegate Access Across AWS Accounts Using IAM Roles, but I am not sure if this is the correct solution? Shouldn't the new developer just be able to enter the Kops IAM user cred info to access its resources?
Forgive me, for I am not very experienced with aws-cli and this deployment process. I just took on this responsibility on our team because no one else was confident they could do it.
Thanks!
I think the best way to handle this would be to enter the AWS Console as the Root. Go to IAM and select the kops user. In the Security credentials tab, create a new access key and share the credentials with the other developer by forwarding him/her the csv file. Once he/she downloads the csv have them try the aws configure and enter the new access credentials. Letme know if this works!
I am working on my school project and seeing permission issues using AWS Educate for students.
I am unable to launch EC2 instance (Spot instance). Read through the documentation about changing roles and policies to grant permission but it says my user is unauthorized to. Neither is it permitting to create a role - No permissions to change anything in IAM.
Also, since it's student access AWS doesn't provide support to raise a Case Request with them. I understand this is a redundant question but I tried the solutions provided but in vain due to student access limitations. To ask administrator to add permissions it just redirects me to documentation.
Help much appreciated!
I am under the impression that spot instances are not available through AWS Educate. You would need to use a regular account which is what you did apparently.
The problem is this: The IAM user does not have permissions to do what you want. If you are the administrator, then you can assign (add) permissions to the user's attached policy. If you are not the administrator then you will need to contact that person for help.
I am planning on a web page that creates an instance for an user using a specific AMI. Is there any AWS method to let the user approve my web application to do this using their credentials? (i. e. getting a secret token with certain privileges)
Similar to when you let a Facebook application have access to certain information of your profile. I am looking for a way to get a token from the user signed in so that I can create an instance for them.
I want to avoid the user the pain of doing all the manual steps of going to IAM, create a new user, get the token and then upload them to my site.
I looked into AWS Cognito but this doesn't seem to be what I am looking for.
Similar to when you let a Facebook application have access to certain information of your profile.
AWS and Facebook are not similar in any sense. Facebook is a web application. AWS something entirely different.
Facebook has users, but AWS has accounts, which in turn have users... but in AWS, don't need a user's permission to do things to resources -- what you actually need is an account's permission to do things to its resources, because resources are associated with the account, not the user.
I am looking for a way to get a token from the user signed in so that I can create an instance for them.
Users sign in to the AWS console. After this, there is no such concept as a user allowing an external application doing things under the "signed in" user's auspices.
The user has to have sufficient permissions to either create sufficiently-privileged temporary IAM credentials (such as with GetSessionToken or AssumeRole from the IAM API) and hand them over to you, or create an IAM user with sufficient privilege and hand the keys to that user over to you... or you provide them with the ARN of one of your IAM users, and your customer gives your user permission to perform the actions or assume a role in your customer's account, created for the purpose.
I want to avoid the user the pain of doing all the manual steps of going to IAM, create a new user, get the token and then upload them to my site.
That can't be avoided, by design... and, in any event, whatever exactly you are planning, your model seems flawed: it would only be a naïve user who would allow you to do this. I have accounts that are allowed to launch hundreds of instances concurrently. Does it make sense that I would allow a third party to have access to credentials that could run up a huge bill for me? (If AWS trusts a set of credentials to launch instances, then it trusts them to launch instances -- all the way up to the account's instance limits).
If you want a user to be able to launch an instance from your AMI, you can simply list it on the AWS Marketplace, or you can share the AMI with the user's account, or even just make the AMI public.