How to Control Access with AWS IAM for Users and Groups using the CLI for Granting S3 Access

In this post, we will use Identity Access Management (IAM) on AWS to Control Access for our Groups and Users using the CLI, and as an example use-case, we will be allowing S3 Access for Users that is associated to a Group.

What we will be doing today:

  • Create a Group
  • Create a Policy for our Users to Read, Write and ListBucket from S3
  • Associate a Group Policy
  • Create and Associate Users to our Group
  • Create Access Keys for our Users

Create the Group:

$  aws iam create-group --group-name TempGroup
{
    "Group": {
        "Path": "/",
        "CreateDate": "2017-06-11T20:16:39.870Z",
        "GroupId": "AGPAJHTDNQKH3ABCD1234",
        "Arn": "arn:aws:iam::123456789023:group/TempGroup",
        "GroupName": "TempGroup"
    }
}

Create the IAM Policy that will be associated to the Group that will grant our users to List the mentioned S3 Bucket, Read, Write and Delete objects from the given bucket name:

$ cat iam-s3-policy.json
{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MY_BUCKET_NAME"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MY_BUCKET_NAME/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Create The IAM Policy:

Create the IAM Policy by associating the Policy Document to the IAM Policy Name:

$ aws iam create-policy --policy-name s3-access-policy --policy-document file://./iam-s3-policy.json
{
    "Policy": {
        "PolicyName": "s3-access-policy",
        "CreateDate": "2017-06-11T12:53:03.665Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPAJEL3K3TCEDEFG2KSY",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/s3-access-policy",
        "UpdateDate": "2017-06-11T12:53:03.665Z"
    }
}

Attach The Policy to the Group:

Attach the IAM Policy to the Group by Specifying the Policy ARN Received from the previous API call:

$ aws iam attach-group-policy --group-name TempGroup --policy-arn arn:aws:iam::123456789012:policy/s3-access-policy

if it was a scenario where you would like to apply a policy to a specific user:

$ aws iam attach-user-policy --user-name tmp-user1 --policy-arn arn:aws:iam::123456789012:policy/s3-access-policy

Creating 2 Users:

Create 2 Users that we will assign to our Group:

$ aws iam create-user --user-name tmp-user1
$ aws iam create-user --user-name tmp-user2

Add the Users to the Group:

Add the 2 Users that we created to our Group

$ aws iam add-user-to-group --group-name TempGroup --user-name tmp-user1 
$ aws iam add-user-to-group --group-name TempGroup --user-name tmp-user2

Review by Getting Group Info:

Review the Group Info to make sure everything looks as expected:

$ aws iam get-group --group-name TempGroup
{
    "Group": {
        "Path": "/",
        "CreateDate": "2017-06-11T20:48:34Z",
        "GroupId": "AGPAJDK4URLF7P32YQ2BO",
        "Arn": "arn:aws:iam::123456789012:group/TempGroup",
        "GroupName": "TempGroup"
    },
    "Users": [
        {
            "UserName": "tmp-user1",
            "Path": "/",
            "CreateDate": "2017-06-20T12:57:11Z",
            "UserId": "AIDAJOIEUY3UNM7H6NPNQ",
            "Arn": "arn:aws:iam::123456789012:user/tmp-user1"
        },
        {
            "UserName": "tmp-user2",
            "Path": "/",
            "CreateDate": "2017-06-20T12:56:29Z",
            "UserId": "AIDAJJC2BERXOQRVGBIKK",
            "Arn": "arn:aws:iam::123456789012:user/tmp-user2"
        }
    ]
}

Create Access Keys for the Users:

In this example we will only create access-keys for tmp-user1:

$ aws iam create-access-key --user-name tmp-user1
{
    "AccessKey": {
        "UserName": "tmp-user1",
        "Status": "Active",
        "CreateDate": "2017-06-11T13:05:40.858Z",
        "SecretAccessKey": "SECRET",
        "AccessKeyId": "AKIAIBY7UYQX5KVAOO7Q"
    }
}

Configure Credentials:

If this will be the main user you can configure your credentials by running:

$ aws configure

If you are running multiple accounts, you can append the following to ~/.aws/credentials :

$ cat /home/user/.aws/credentials
[default]
aws_access_key_id = foo
aws_secret_access_key = bar

[tmp-user1]
aws_access_key_id = AKIAI123456789VAOO7Q
aws_secret_access_key = SECRET

After your credentials is set, you should be able to access S3, so you could test this by either, listing the S3 Bucket, Pushing an object to S3, or Deleting an object from S3.

Example: Listing the Bucket:

If you are using the default account, you don't have to specify the profile name, so that can be achieved like the following:

$ aws s3 ls s3://bucketname/

Or, we can list the bucket by specifying the profile name, region name etc:

$ aws s3 --profile tmp-user1 --region eu-west-1 ls s3://bucketname/

Cleaning Up:

Detach the Group Policy:

$ aws iam detach-group-policy --group-name TempGroup --policy-arn arn:aws:iam::123456789012:policy/s3-access-policy

Delete the IAM Policy:

$ aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/s3-access-policy

Or, if it was for a User, Detach the User Policy:

$ aws iam detach-user-policy --user-name tmp-user1 --policy-arn arn:aws:iam::123456789012:policy/s3-access-policy

Then Delete the IAM Policy:

$ aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/s3-access-policy

Removing the Users from the Group:

After the policy has been detached from the group, we still have our users associated with our group, so we must remove our users from group first.

$ aws iam remove-user-from-group --group-name TempGroup --user-name tmp-user1
$ aws iam remove-user-from-group --group-name TempGroup --user-name tmp-user2

Deleting the users:

In order to call the DeleteUser operation, we first need to delete the access keys before we can delete the entity:

$ aws iam list-access-keys --user-name tmp-user1
{
    "AccessKeyMetadata": [
        {
            "UserName": "tmp-user1",
            "Status": "Active",
            "CreateDate": "2017-06-11T13:05:40Z",
            "AccessKeyId": "AKIAIBY7UYQX5KVAOO7Q"
        }
    ]
}

Delete the Access Keys:

$ aws iam delete-access-key --user-name tmp-user1 --access-key-id AKIAIBY7UYQX5KVAOO7Q

Finally, delete the users:

$ aws iam delete-user --user-name tmp-user1
$ aws iam delete-user --user-name tmp-user2

Delete the Group:

$ aws iam delete-group --group-name TempGroup

References: