8 AWS CLI Commands to Make IAM Management Easy

Photo by Alexandra K on Unsplash

GUIs are great. When I began to learn technology the GUI was a great place to start to learn about how a software, system, etc. works. However, as I began to become more comfortable with technology I really just wanted computers to do what I asked them to do. If I am learning a new software or service I still will start with a GUI (if available) in order to visualize and piece all of the moving parts together. Now I find that I often get distracted and sometimes jumbled up in GUIs.

IAM is a service that allows you to create and manage access to your Amazon Web Services account. Within an AWS there is a console that allows you to manage all of this from a centralized location.

When I first began to use AWS I use to login to the console and set users up through the console. But if you are managing multiple users and groups, this can get really cumbersome very quickly. I am going to walk you through how to setup and use the AWS CLI to make these tasks a lot easier. Lets first start with setting up your local environment to interact with AWS services.

There are a number of different ways to set this up depending on your operating system. I am using a MAC so I will use those steps, but you can get the instructions for your operating system here.

  1. Download Homebrew
  2. Once Homebrew is setup open a terminal and type brew install python
  3. Next install the AWS CLI with the command pip install awscli

Before we can configure the CLI we will need to navigate to the IAM Console to create a new IAM user with admin credentials and access key and ID.

4. Navigate to back to the console and create a new user. Make sure you check the option to create access key and ID and follow the rest of the instructions to add the user to the appropriate user group.

5. Once the access key and ID is created save that information in a safe place making sure no one else has access to it.

To configure AWS CLI enter the command aws configure . Once you have enter that command, you will be prompted to enter your Access ID, Access Key, default region and output format. There are a number of different output options but I recommend JSON.

That’s it! You should be ready interact with your AWS services.

aws iam create-user --user-name <UserName>

aws iam delete-user --user-name <UserName>

Yes its really that simple! Lets go through the first command together. Type aws iam create-user --user-name Susan

The output for the command is as follows:

{
“User”: {
“UserName”: “Susan”,
“Path”: “/”,
“CreateDate”: “2019–06–27T17:20:05Z”,
“UserId”: “MYUSERIDWOULDBEHERE”,
“Arn”: “arn:aws:iam::MYACCOUNTIDWOULDBEHERE:user/Susan”
}
}

After entering this command you can verify its creation by logging into your console and taking a look.

As you can imagine and see by the other command you can easily remove Susan’s account by swapping out create-user with delete-user.

In the previous example all we did was create an IAM user that has access to nothing. Susan would not be able to login to the console without setting a login profile.

aws iam create-login-profile --user-name <UserName> --password <password>

aws iam delete-login-profile --user-name Alice

aws iam update-login-profile --user-name <UserName> --password <password>

Let’s set up Susan with a profile that allows her to access the AWS Console.
Type aws iam create-login-profile --user-name Susan --password DonGiovanni@Mozart

Confirm your output after entering the command:

{
“LoginProfile”: {
“UserName”: “Susan”,
“CreateDate”: “2019–06–27T17:34:01Z”,
“PasswordResetRequired”: false
}
}

If you wanted to keep the IAM user and remove access to signing into the console you can type in the second command without completely removing the IAM user. In addition, you can reset a password with the third command.

Okay now lets set Susan up with access keys. Type the following command aws iam create-access-key --user-name Susan

The output:

{
“AccessKey”: {
“UserName”: “Susan”,
“Status”: “Active”,
“CreateDate”: “2019–06–27T17:40:21Z”,
“SecretAccessKey”: “MYACCESSKEYWOULDNORMALLYGOHERE”,
“AccessKeyId”: “MYIDWOULDNORMALLYGOHERE”
}
}

In order to manage access to resources, it is a good idea to create meaningful groups so that you give users access depending on the groups they are in rather than by each user. Below are the command to create a group and add users to already created groups.

aws iam create-group --group-name <groupName>

aws iam add-user-to-group --group-name <groupName> --user-name <userName>