Computer scienceSystem administration and DevOpsAmazon Web ServicesAccess Management

Setting up users, groups, and roles

Provided by: JetBrains Academy
10 minutes read

In your AWS environment, you'll need to manage many users. These users might represent employees in different departments of your organization or applications accessing your AWS account programmatically. There may also be times when you need to grant access to external users or allow your users to log in using the same credentials they use on other platforms.

This topic explores how to create users with AWS IAM, and federated users with AWS Identity Center. We'll learn how to organize users into groups and create access keys for programmatic access. We'll also discuss creating roles to provide temporary access to various entities. For all these entities, we'll attach policies that control the actions permitted for them.

Creating users

Let's create an admin user who has full access to our account. This is the user we will use instead of the root user. To create this user, follow these simple steps:

  1. Sign in as the root user and open the AWS IAM service;

  2. Click on "Users" in the sidebar, then press "Create user";

  3. Input the new user's name;

  4. Allow console access by ticking the relevant checkbox. This allows the user to log in to the AWS Management Console.

  5. Select "IAM user" for the type of user and create a custom console password for them;

  6. Uncheck the "User must change their password at next sign-in" box;

  7. For permissions, select "Attach policies directly" and choose "AdministratorAccess" to grant this user full access;

  8. Review, add tags if desired, and press the "Create" button.

A user could represent an application rather than an actual person. In that case, you do not need to create a password for them.

As AWS IAM doesn't cost anything, you can create as many users as you like. Just keep in mind that there's a limit of 5000 users per AWS account.

Once created, you can view and adjust information about the user you just set up. You can see their unique Amazon Resource Name, their permissions, security credentials, and more:

Screenshot displaying the newly created user.

You can also create users using the AWS CLI or SDKs. We'll see how to do this in later topics. After you've created the user, you can log in as the IAM user. You'll need to input your account ID, the user's username, and their password to log in to the console. You can also set up an account alias from the IAM console dashboard. This means you won't need to remember the account ID.

Organizing users with groups

Creating groups is also straightforward:

  1. Open the AWS IAM console and navigate to the "User groups" section; then, click on "Create group";

  2. Give the group a name that accurately indicates its function or the team it represents;

  3. You can choose to add users immediately, or you can do that later;

  4. Attach the required permissions to the group;

As a practical example, let's imagine creating a group for your organization's finance team. You might name it "Billing-Department". You would assign permissions to this group that match the finance team's responsibilities, such as the "Billing" managed policy. This policy allows members of this group to view cost and usage data, create budgets, and manage payment methods.

Screenshot showing group creation.

Once the group is created, you can then add users to it. Each member you add to this group will automatically inherit the permissions associated with it. This method significantly simplifies the process of managing permissions and ensures consistent access rights for the whole team.

Now that you've understood how to create groups, go ahead and create an "Admins" group. Attach the "AdministratorAccess" permission to it and add the admin user you created in the previous section. Finally, remove the user's individual policy as the group permissions now apply.

Federation and single sign-on

AWS suggests using an identity provider, or IdP, for managing user accounts. An IdP is a trusted system that manages user credentials like usernames and passwords. To streamline user management across different AWS accounts, AWS offers the IAM Identity Center service. This service simplifies user administration and provides support for single sign-on (SSO) capabilities. SSO lets users utilize a single set of credentials to authenticate across platforms.

To start using the IAM Identity Center service, you need to activate it from its service console. Once activated, you can tailor it to work with external IdPs that support either the SAML standard or OpenID Connect. These include Microsoft Entra ID (previously known as Azure AD), Google Workspace, and others. If it is your first time setting up user accounts, the IAM Identity Center can also serve as your IdP.

Creating users and groups with the Identity Center service is much like doing so with IAM. However, incorporating an external identity provider involves extra steps to establish a trust relationship and sync between AWS and the external provider. This process is known as federation. Detailed instructions for this setup can be found in the AWS documentation.

Screenshot showing SSO with AWS IAM Identity Center

In this scenario, the AWS Managed Active Directory service is utilized for user management. This AWS service enables an organization to manage its users via Microsoft Active Directory. A two-way trust relationship is made between the provider and the IAM Identity Center service. This lets users use the same credentials to access multiple AWS accounts and cloud applications, such as Salesforce and Microsoft 365.

Creating roles

Now, let's create a role in IAM:

  1. Open the AWS IAM console.

  2. In the navigation pane, click "Roles" then select "Create role";

  3. Choose the type of entity that will assume the role. For instance, if you want an Amazon EC2 instance to access objects in an S3 bucket, select "AWS service" as the entity type;

  4. Select the service such as "EC2" as the usage case.

  5. Attach the required permission policies to the role to outline what actions it can perform.

  6. Assign the role a meaningful name for easy identification.

The trusted entity type indicates who can assume the role. These entities may be AWS services, other AWS accounts, or federated users. Entities assume roles through the AWS Security Token Service (STS) by sending requests to the sts:AssumeRole API. When a request is sent, AWS STS checks if the requesting entity has permission to assume the role and validates the attached permissions. If verified, STS provides temporary security credentials which consist of an access key ID, a secret access key, and a session token. The entity can now safely access AWS services with the role's permissions for a specific duration.

Managing access keys

Once you have an IAM user set up, the next step is creating an access key linked with the user. Here's a step-by-step guide on how this is done through the AWS IAM console:

  1. Navigate to the IAM console and click on "Users";

  2. Choose the user for whom you desire to create an access key. This will bring you to their dashboard;

  3. Locate the "Security credentials" tab. This is where you can manage different security credentials for the user;

  4. Scroll down to the "Access keys" section, then click on "Create access key" to start the setup;

  5. Next, you'll be prompted to select a use case for the access key. Feel free to choose any;

  6. For now, disregard any recommendations and proceed with creating the access key. If you'd like, you can include a description of the key's function;

Don't forget, the secret access key will only appear once — during its creation. If needed, access keys can be deactivated or removed easily from the same page. You can have a maximum of two access keys can exist at a time.

Screenshot showing security credentials screen

Conclusion

This topic centered on creating users, groups, and roles in AWS. We also learned how to generate access keys for IAM users to enable programmatic access to AWS services. For user identity management, we explored the AWS IAM Identity Center service. This service serves both as an identity provider (IdP) and a connector to external IdPs. External IdPs should be compatible with either the SAML standard or OpenID Connect. This ensures users can use the same credentials across platforms.

We also delved into the concept of roles. Roles provide temporary access to AWS services, other AWS accounts, or federated users. When an entity takes on a role, it obtains temporary credentials for AWS services access. Requests go through the AWS STS service. This service confirms an entity can assume a role and its permissions. Once validated, returns temporary credentials that the entity can use.

Further, we studied some permission policies, namely:

  • 'AdministratorAccess', granting full administrative rights;

  • 'Billing', permitting visibility and control over cost and billing;

As we move forward, we will encounter and work with a wide variety of policies, each tailored for a specific use case.

6 learners liked this piece of theory. 0 didn't like it. What about you?
Report a typo