IAM group path is a way to organize groups following an enterprise structure. Looking at the IAM Console I cannot find a way to set or modify the path of a group. Is it possible from the console or is there another way programmatically or through the CLI?
As far as I know, you must use the AWS cli or a programming language, e.g,
aws iam create-group --path "/company/team/project/" --group-name "your-group"
The groups are not listed in the Console in hierarchical form, but the ARN includes the path.
arn:aws:iam::111111111:group/company/team/project/your-group
Related
Is there a way to pass a wildcard user ARN to
aws cloud9 create-environment-membership --user-arn arn:aws:blah
Looking at https://docs.aws.amazon.com/cli/latest/reference/cloud9/create-environment-membership.html it looks like I can only pass specific user ARNs but I'd like to be able to put wildcards in there rather than having a list of specific user ARNs.
This is not possible today. You have to specify a fully matched ARN for an IAM Principal (IAM User or STS Session)
I have multiple roles in AWS and have to switch between them multiple times a day.
Can you please suggest a good solution without doing the entire authentication cycle?
You can store multiple roles in the ~/.aws/credentials file. These can be activated via the AWS CLI by using --profile.
You can also put roles in specific profiles and the AWS CLI will assume them from a base set of credentials.
See:
Configuration and Credential File Settings - AWS Command Line Interface
Using an IAM Role in the AWS CLI - AWS Command Line Interface
In IAM, what is the purpose/use of the "Path" variable when creating an IAM User via the CLI or API?
The path variable in IAM is used for grouping related users and groups in a unique namespace, usually for organizational purposes.
From Friendly Names and Paths:
If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM entities, you can also give the entity an optional path. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the Policy Simulator API Based on User Path. For additional examples of how you might use paths, see IAM ARNs.
For example, a large organization may have users in paths /WestRegion/AZ and /EastRegion/NY. This would correspond to internal divisions of the organization.
Here are some examples from the above document:
An IAM user called Bob in a given account:
arn:aws:iam::123456789012:user/Bob
Another different user Bob with a path reflecting an organization chart:
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
An IAM group:
arn:aws:iam::123456789012:group/Developers
An IAM group with a path:
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developer
Note that this metadata is not exposed in the Console. My guess is that usage of a user path is more suited for large organizations, or advanced users, that would normally rely on CloudFormation and/or the AWS CLI for managing their AWS resources. For example, the --path-prefix is a parameter to aws iam list-users.
See http://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser
I'm very new to jenkins. I installed the S3 plugin. I wish to use AWS IAM S3 roles to make the plugin work.
However, I can't find any way to configure IAM roles within this plugin. I can see only setting up the access key and secret key.
Has anyone used IAM roles with this plugin?
Kindly help.
Thanks in advance.
IAM roles are assigned to EC2 instances at launch. There's nothing else to configure, thus your S3 plugin should just automatically work. This is dependent on the plugin supporting IAM roles, which it looks like it does according to your link. You will have to assign the correct bucket policy though using the instructions also found at the link.