Skip to content

IAM Accountλ︎

Create IAM Accountλ︎

Visit aws.amazon.com in a browser.

Sign In via the link in the top navigation bar, or select Create an AWS Account

Login using the Root account which is typically used to administrate all other accounts.

Search for Identity and Access Management (IAM)

Select IAM > Users

Select Add User

Step 1: - Enter user name jr0cket-cli - Select Next

do not provide access to the AWS management console for programmatic users

Step 2:

  • Select Create Group
  • enter user group name, e.g. cli-access
  • search for Permission Policies, e.g. s3
  • select checkbox next to relevant permission, e.g. AmazonS3FullAccess
  • Select Next

Step 3: - Select Create User

View the user to see th user passwork and email instructions for signing into the AWS Management Console (which we didnt select, so that seems to be a generic message)

Configure CLI Accessλ︎

  • Access Keys for personal AWS Account (you are the owner of the whole account, not for commercial account)
  • SSO & IAM Identity Center for commercial accounts

Most other operations seem redundant

AWS CloudShell

AWS CloudShell is a browser-based CLI for running commands.

Essentially an Amazon Linux environment running in the AWS environment which can be connected to run commands

assumption: code will need to be run in the Cloudshell environment to use the credentials or use a supported editor - VSCode or IntelliJ

Access Keys have a maximum 12 hours lifespan (assumption: can be regenerated via the web console)

Scroll to Access Keys section in IAM user view

Select Create access keybinding

Step 1 - Access key best practices and alternatives Select Command Line Interface (CLI)

AWS form prompts with alternative recommendation (which should be used instead of this approach)

Alternatives recommended

Use AWS CloudShell, a browser-based CLI, to run commands

Use the AWS CLI V2 and enable authentication through a user in IAM Identity Center (SSO)

Check I understand the above recommendation and want to proceed to create an access key

Step 2 - set description tag: Optionally set a tag (maybe this helps search for things or provide some content about how the key is used)

Select Create access key

Step 3 - retrieve access keys Copy the Access Key and Secret access key to somewhere safe, e.g. a local GPG encrypted file

Keep the page open and open a command line terminal to run the AWS CLI configuration wizard.

If running the aws cli config later, create a file called ~/.aws/access-keys.gpg, add the Access Key and Secret Access Key and encrypt the file, e.g. SPC a Y e in spacemace, selecting a GPG key.

🌐 Recommended Practices for Access Keys

aws_session_token not required

The IAM user should be part of an AWS group and that group should be assigned the relevant service permissions, e.g. AwsS3FullAccess

An AWS group can be created or assigne when creating a new IAM user or anytime after the user is created.