I have created a development deployment for an application using kops, kubectl, and EC2.
When I set up this deployment, I created a Kops IAM user as specified in this guide. Everything has worked fine for me managing this deployment.
I am now leaving the project for another job and have to allow someone else
to take over this deployment. I tried having them use aws configure and enter the appropriate kops IAM user creds, but the kops user still does not show up for this person when they run aws iam list-users.
What is the best way to share this IAM user with this new developer?
I have stumbled upon this guide which states I can Delegate Access Across AWS Accounts Using IAM Roles, but I am not sure if this is the correct solution? Shouldn't the new developer just be able to enter the Kops IAM user cred info to access its resources?
Forgive me, for I am not very experienced with aws-cli and this deployment process. I just took on this responsibility on our team because no one else was confident they could do it.
Thanks!
I think the best way to handle this would be to enter the AWS Console as the Root. Go to IAM and select the kops user. In the Security credentials tab, create a new access key and share the credentials with the other developer by forwarding him/her the csv file. Once he/she downloads the csv have them try the aws configure and enter the new access credentials. Letme know if this works!
Related
my requirement is, my code will be deployed on an ec2 instance. and at some point, it needs the username of the IAM account who is executing that code. or whose session is currently active on that ec2 instance. Is it even possible?
FYI,
I read the answers here
From AWS SDK, how to I get the current logged in username (or IAM user)?, but they are not much of a use
PS. I have to authenticate which IAM account is executing the spark job
Edit: based on #John Rotenstein suggestions, adding more details
Many IAM users might access the ec2 instance when provided with IP. So based on which IAM users has logged in into EC2 instance, and is trying to run spark job in an EMR cluster. I want to validate if he has permission to execute the code ( There is a separate database of list of authorized users, where i would search his IAM username in database, if not found throw an error). For this purpose, i need the username of that IAM account.
If there is any utility in aws-sdk or some kind of metadata which gets created after a IAM user launches ec2 instance? And just for clarity, I know the details of os users, and not concerned with them. Till now, we were doing this process with os users only, but with new changes we need to validate users from their IAM account username instead of os usernames.
So we have this aws account with some permissions and it was working fine at first. We were able to deploy to aws using serverless framework. But then the client decided to setup an organization since they have other aws accounts also and to consolidate the billing under 1 account, they added the account they gave us to the organization. Now the problem is when we deployed using serverless again, serverless can no longer see the deployment bucket with an access denied error. But when the account was removed from the organization, serverless is able to locate the bucket. Is there some addition permissions or changes to the permissions that needs to be done when an account is linked to an organization? Can someone explain to me cause I can't seem to find any example of my scenario in a google search. I am new to AWS and this is the first time I experience organzations in AWS.
The only implication to permissions from joining an OU (organization unit) would be via the Service Contol Policy (SCP). Verify that the SCP attached to the organization does not block the actions you are attempting to execute.
We would love to get more information if possible, but I would maybe start looking in the following places in your consolidated account:
Trusted access for AWS services - https://console.aws.amazon.com/organizations/home?#/organization/settings
https://console.aws.amazon.com/organizations/home?#/policies
See if anything was changed there, if someone added a policy, or if the AWS Resource Access Manager is disabled.
I am totally newbie with AWS, my first project with it.
I was trying to deploy my Django app with Elastic Beanstalk, using CodeCommit, following a tutorial. I was getting an error while trying to connect to the repo. Searching around that error, I got to the conclusion that I probably needed to enable AWSElasticBeanstalkFullAccess policy for my user. However, before doing that I 'detached' the first (and I think the only) policy that I had attached to my account. I think it was 'AdministratorAccess' or something similar (the first option in a large policies list). I just wanted to fit my user to the tasks that would be required and I interpreted that having admin privileges is not safe. Later I read that I should have created a new user with no root privileges, and work with that new user on a daily basis. I promise I will do that the next time.
So I am locked right now. I have just one user with privileges for doing absolutely nothing. I cannot even purchase development support (29$/month), to solve this situation... I don't know what to do. I could forget that account and open a new one, but I think there must be something I could do.
I tried searching for almost 2 hours, but I couldn't find anything that could work for me. I repeat that I am completely newbie on AWS and probably I didn't use the correct words in my searching process.
Any help will be appreciated. Thanks in advance.
Ok, finally solved. I explain.
While following the tutorial, I signed up AWS and created a user called 'username' for the deployment process in Elastic Beanstalk. I thought the user I created following the tutorial was my current user in AWS, but (fortunately) it wasn't.
I logged in with the 'username' user and detached the AdministratorAccess policy from that user, so the user has privileges to do nothing.
After some more reading, I found that if you login to AWS with your email (not the 'username'), you log as the root user. That allowed me to attach the correct policies to the user.
Here the difference between IAM users and root user:
From IAM users docs:
An IAM user with administrator permissions is not the same thing as the AWS account root user.
From root users docs:
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
I have a lot to learn around AWS, but I hope my story helps somebody...
I am working on my school project and seeing permission issues using AWS Educate for students.
I am unable to launch EC2 instance (Spot instance). Read through the documentation about changing roles and policies to grant permission but it says my user is unauthorized to. Neither is it permitting to create a role - No permissions to change anything in IAM.
Also, since it's student access AWS doesn't provide support to raise a Case Request with them. I understand this is a redundant question but I tried the solutions provided but in vain due to student access limitations. To ask administrator to add permissions it just redirects me to documentation.
Help much appreciated!
I am under the impression that spot instances are not available through AWS Educate. You would need to use a regular account which is what you did apparently.
The problem is this: The IAM user does not have permissions to do what you want. If you are the administrator, then you can assign (add) permissions to the user's attached policy. If you are not the administrator then you will need to contact that person for help.
I can go eb ssh.
I can't though work out what the ssh command on it's own would be.
I want my colleague to be able to ssh in.
They have an AWS account.
What page in the doco should I be following ?.
edit:
I actually want them to be able to go eb deploy so basically how do you set up eb to use someone else's system ?
AWS allows you to delegate access to a user in another AWS account so that he can work with your resources. See IAM Roles, Delegating Access Across Accounts, and IAM Roles with Elastic Beanstalk.
Alternatively, you could simply create an IAM user in your account with the relevant permissions and then give those credentials to your colleague. Roles and cross-account access are generally the preferred method, however.