DEV Community

Cover image for Learn to use AWS IAM in command line
Israel-Lopes
Israel-Lopes

Posted on • Edited on

Learn to use AWS IAM in command line

If you landed here by parachute and don't know how to configure LocalStack to simulate an AWS environment, follow this post: Simulating AWS CLI with LocalStack

What is IAM?

IAM (Identity and Access Management) is an AWS service that allows you to securely manage access to AWS resources and services. It provides granular control over permissions and access policies for users, groups, roles, and services within your AWS account.

IAM lets you create and manage identities (users, groups, and roles) and assign
permissions specific to those identities. Some of the main features and
IAM features include:

  1. User Management: You can create IAM users and provide credentials
    login for them. Each user will have a set of unique credentials
    to authenticate to the AWS account.

  2. Groups: You can organize users into logical groups and assign permissions at the group level.
    This simplifies permission administration as you can add or remove users from
    a group and the permissions will be applied automatically.

  3. IAM Roles: IAM roles allow you to grant temporary permissions to services and
    AWS applications. This is useful when you want to allow a service to access
    other resources in your account on your behalf, without having to share access credentials.

  4. IAM Policies: IAM policies are JSON documents that define permissions for
    users, groups, and roles. You can create custom policies to meet requirements
    access specifics and assign those policies to identities.

  5. Integration with Other Services: IAM integrates with many AWS services, allowing you to
    control access to specific features in those services. For example, you can define policies
    access to S3 buckets, EC2 instances, SQS queues and many others.

Creating user in IAM

Now let's learn how to create our first user in IAM, just follow the command below:

aws iam create-user --user-name <username>

We can now list our user: aws iam list-users

After the user has been created, we can now grant access to him. Here's an example:

aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/MyPolicy

Replace <username> with the username you created and
arn:aws:iam::aws:policy/MyPolicy by the ARN (Amazon Resource Name) of the
policy you want to associate.

Below is a list of the most common policies to apply:

  • AmazonS3FullAccess: Grants full access to Amazon S3 storage services.
    • AmazonEC2FullAccess: Grants full access to Amazon EC2(Elastic Compute Cloud) services.
    • AmazonDynamoDBFullAccess: Grants full access to Amazon DynamoDB services.
    • AmazonRDSFullAccess: Grants full access to Amazon RDS (Relational Database Service) services.
    • AmazonSQSFullAccess: Grants full access to Amazon SQS (Simple Queue Service) services.
    • AmazonSNSFullAccess: Grants full access to Amazon SNS (Simple Notification Service) services.
    • AWSLambdaFullAccess: Grants full access to AWS Lambda services.
    • AWSReadOnlyAccess: Grants read-only access to a wide range of AWS services.

If you want to see more policies, access the link politicas
Continuing, I want to give access to the user Luis to have access to Dynamo, in this case:

aws iam attach-user-policy --user-name Luis --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

Now let's list the accesses of our user Luis:

aws iam list-attached-user-policies --user-name Luis

It will return the following:

{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonDynamoDBFullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

I want to remove the access that I was given to the user, how do you do it now?
Just follow the example, let's remove the access we just gave Luis:

aws iam detach-user-policy --user-name Luis --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

Listing the user accesses, it should return:

{
    "AttachedPolicies": []
}
Enter fullscreen mode Exit fullscreen mode

This way, we just detach AmazonDynamoDBFullAccess access to the user Luis.
We move on now.

Now let's delete the user Luis:

aws iam delete-user --user-name Luis

Finish

We learned here how to create users, set access policies, remove them and delete users.
There are more features that IAM can offer, but I've only presented the basics.

Texto alternativo da imagem

Top comments (0)