AWS IAM User - Step-by-Step Tutorial (Part-1)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right so let's start with our first topic which is AWS IM roles and users the first thing which we are going to do first of all is to sign up for an AWS account so here I'm just going to open a new tab and I'm just going to type aws.com and as soon as you open this page then on the right hand side you will find the option for a complete sign up which is present over here so just click on it and here you will find a sign in as well as a create new AWS account so since you are just trying to register this account for the first time then then just click on create a new AWS account and here it will ask for your email address your account name so here you just need to enter uh your email address because uh aw needs your email account and that email account needs to be fresh account it has not been previously used since I have already signed up for this AWS so I'm not going to perform the sign up process because I have my email ID already registered and here you can enter some email or your account name uh which you want to use for login uh purpose so that's the very simple signup process which AWS has and as soon as you complete the sign up process then I'm just going to show you the AWS console how it looks like after you perform the login all right so now I'm assuming that you have already signed up for AWS account and to perform the sign in so here it looks like so here it is a signin page and I'm just going to use the root user option because if you're doing it for the first first time for AWS then by default it is going to give you a root user which has all the Privileges for your AWS account so just select the option root user enter your email address and then click next here I have already saved my password into my browser that's why it is already uh filled in but in case uh if you are doing it for the first time then just key in your password and then click on sign in and as soon as you sign in so this dashboard might look a little bit different I'm just going to zoom in a bit over here since I have been using this particular uh AWS console for a long time that's why you are seeing quite a lot of options which is popping up over here in the recently visited uh like a box but in your case it might be empty but if you are able to see this console then you easily can uh say that hey you have successfully registered for your AWS account and this is going to be your root account all right so let's get back to our slide uh so here this was our user on the left hand side he has performed the sign up and he is able to see the AWS console page so the key things which you need to look over here is this is a root user so how will you know that it is a root user so here on the right hand side you will see a account ID and here you will find this particular account ID as well as this particular options like account organizations billing dashboard security credentials although if you're not a root user you will also see similar options but since you are a root user then you will not see here a option for a switch role so that's the key things which you need to uh look for once you sign up with your root user account and one more thing which I would like to show you uh is the billing dashboard so here uh since I have been using this account for a long time that's why you can see some cost which is associated uh into my billing cycle because I have been using some of the resources but here you will find all the options and you will be able to see all of these details because you are the root user for this AWS account so this is the key thing which you need to keep in mind and as a good practice in AWS it is recommended that we should not use the root user account quite a lot for creating or managing our resources we should create I IM users I'm just going to tell more about those IM user later but these are some just good practices from AWS so yeah just let's go back to our console and this is the sign up after sign up we are seeing this console and this is our first step which I would like to show you before we go deep into the the I roles and user so here this is the user we have performed the signup and we are able to see the AWS console as a root account as I have already told you like what a root user can do a root account can manage the imim permissions like which user needs to access which resources so it's pretty much like a uh controlling the permissions of your whole AWS account so these are the things or these are the powers which is associated with our root account it can also control the billing so if you are uh like uh using AWS account for a company then you might need to associate some credit card for your billing account so that a billing can happen and you can use your AWS Services continuously so it can control the billing as well as it can control all the resources and the permission associated with those resources as well so it's pretty much uh this root account has access to everything inside your AWS account all right now talking about the more specific about the I am user so now we have created a root account and that root account is already visible over here which is Rahul do walk which is my personal root account so now what we are going to do we are just going to create an i user so here the name of the IM am user is going to be a test user and this user have a very limited permission so when we are going to create this particular test user during that time that user will not have permission to view any of those resources so our root user is going to first create a test user and that user we are going to call it I am test user so we just call every user here as I am user so the name of the user is test user secondly uh we are just going to create some policies those policies are governing the access to the resources so in AWS we have so many resources and to control those resources we need to define the IIM policies so here we we just going to create an IM policy and with the help of that policy we are just going to allow to access the S3 bucket so S3 bucket is the uh like a storage where we put our files our configuration or our like a media file so anything which is like a big in size which you can store it onto your S3 bucket so we are just going to create a policy to allow that particular user to access the S3 bucket so this is the very simple use case which we are going to cover and which going to explain like how the IM IM users are created and how the IM IM policies like a permissions are assigned to those particular users all right so what I'm going to do I'm just going to head over to console and here uh in the search box you need to type I am click on this particular option I am and here click on users on the left hand side and here I have already created one user so just ignore it in your case if you're doing it for the first time then this whole page will be empty there will not be any pre-existing users so here click on this create user here you need to enter the name of the user in our case we are just going to name it as a test user uh provide user access to AWS Management console optional we are just going to enable it later I'm just going to explain it later to you okay so here set permission so add user to a group uh we just going to select this option uh just click next and here uh it is just uh uh asking us to review the details so here we have just assigned the username uh we have not assigned the any group to that particular user I'm just going to explain the group thing uh later into this chapter so just keep in mind we just keeping our flow very simple we just creating a user that's it and then just click on create users and here you can see uh we got the user which is test user which has just created click on this particular user and here you can see the details so first thing which you need to be careful over here is is the Arn so this is a resource ID or the Arn which we call it into AWS so this is the resource ID which is always unique for any resource which you are going to create inside a AWS so for this user uh this is going to be the Arn and if you create any ec2 instance or S3 bucket or any other resource in uh AWS then it will always Grant you an Arn so this Arn belongs to this particular user so that's a key information which you need to keep in mine now you might be wondering that we have created this test user but I'm still logged in as a Rahul doog which you can see over here uh this is the account ID and this is the name which is r.w so how can I login with our test user account so that is also possible what you need to do once you create this user then you go to the security credential then you need to enable the console access so that will allow you to Grant the AWS console access I mean this access once we we have logged in so this particular UI AWS console which we call it you will be able to have the AWS console for that particular user so first we need to enable that console option for that particular user so I'm just going to go to I am again click on users click on test users go to security credential go to enable console click on enable and once you enable the AWS console then you need to set the user name which we have already set up but also you need to set up the password so here it will ask for autogenerated password or custom so it's up to you for this is just I'm doing for testing purpose that's so I'm just going to use the autogenerated password and uh yeah here is one more option you user must create a new password after the next signin so if you're creating this user then if you enable this checkbox then user need to set his password when he log in or he or she logs in for the first time so this is just doing it for the testing purpose so I'm just going to uncheck I'm just going to apply and here you can see so here you will find the url which you need to use uh for performing the login and this is a very specific URL for that particular test user this is the name of the user and this is the password so just copy this details somewhere and secure it and then we are just going to use this details to perform the login on using my test user all right so what I'm just going to do I'm just going to open a private or like a incognito mode window over here and here I'm just going to enter the URL first of all I'm just going to zoom in a bit and this URL is uh I have I can show you again so this is the URL which I am using which I have got once I have created the user and I have enabled the AWS console so this is the URL which I'm just going to use uh I'm going to hit enter once again so it's going to prefill the account ID over here you don't need to do it anything here you need to enter the name so I'm just going to enter the name test user and I'm just going to copy the password from my notepad which we have already uh copied once we created this user so I'm just going to put in that password and click on sign in and as you can see uh I'm just going to close this one so here this is the first time I'm doing the signing using the test user account so that's why we are just getting these option click on next done I'm just going to ignore all these accept all cookies I'm just going to zoom in a bit so that you can see so here you can see this is the fresh console and this is the first time this test user is going to perform the login and here you can see the option for a switch rooll also so which means uh this is an IM am user and it is not a root user and also I would like to show you few things over here let's start with the S3 S3 is the bucket let's try to see if that user has a permission to do anything anything over here so here uh let's go and click on buckets and here you can see you don't have a permission to list buckets so which means that as soon as you create a test user or I am user in AWS so by default AWS doesn't provide any access to that particular user so you need to create a permission policy so that that user can access any specific resource so here I have just taken an example of an S3 bucket and here you can see it cannot view any of the existing S3 bucket although I have not created any bucket but here you can see that error message that you don't have a permission to list the buckets and instead if I go to my root user accounts I'm just going to M minimize this I'm just going to close this one I'm just going to go to AWS and here you can see this is the root user account r.w and if I go to S3 and if I go to buckets over here then you will see that I'm not getting any error over here because I am a root user and I have all the permission so that's the key difference I just wanted to highlight over highlight to you over here so the next thing which we will do we are just going to create a policy uh for that particular user so that user can access the S3 resources and this is a very common example which I'm taking and the same principle we can use the same policy we can use and customize it to provide any access to any other resource for example ec2 uh e R the container repository or what we can say uh the secret manager so all everything you can cover uh or you can govern or provide an access using the IM policies okay let's take a look onto the slide for a moment so here we have created a root account we have created a test user also but we have not created yet the IM which is the permission so let's take a look on to this permission and what I have mentioned inside this permission policy document so here this is the version which is like ideal syntax from AWS which you need to follow then statement block and inside that statement block you need to provide the Sid this Sid is a unique you can keep any name of your choice and it has to be little bit suitable onto that particular policy document what it is doing but here this was just a demo purpose so I have just written at statement one but instead of statement one you can put like allow S3 access which is more suitable for this use case effect which means allow so it is going to allow access instead effect can also have like a deny so which means you're just going to deny the permission or deny the access but here we just wanted to test the allow that's why I have kept it as allow action S3 with a wild card star which means I'm just going to allow all the S3 access so it can view the bucket it can create the bucket it can delete the bucket and perform any kind of operation which uh relates to S3 bucket so user can perform any operation on that particular S3 resource and finally the resource which is star so anyone who is having this permission can perform this action so that's the policy or the permission which we need to Grant to that particular user all right so now the question comes like how to create this policy so again go back to our root user so this is the root user console and go to I IM just type I am over here go to policies here click on create policy so here these are the default policies which has been uh like created by AWS but I'm just not going to use the uh AWS default policy but instead I'm just going to create a new policy and here I'm just going to click on Json because I feel Json is more powerful rather than the UI because here you can see everything into the Json format and once you see the code then you feel more control over the permission so here action what I'm just going to do is like s three uh star and here I'm just going to put star and statement as I told you we can put uh something meaningful over here so allow S3 access and once you create this and if there are no in errors then you can just click next and here you can provide the policy detail so just for the testing purpose I'm just going to use test user allow S3 access so this is the policy name which I'm just going to assign and after that uh here you can see it has already taken the S3 uh because we are allowing the all S3 access so here you can see full access so whatever we have mentioned inside our Json document is now getting interpreted and here you can see the conversion like it is saying full access to all resources then and the request condition is none because we are not specifying any specific condition on which condition we are allowing or Dy we are just allowing everything and here I'm just going to click on create policy and here you can see this is the policy which we have created in case if you didn't see this policy then just use this search box over here and here you can verify this policy which has been created now next thing what we need to do we need to assign this policy to that particular user and this policy assignment can only be done with the root user okay for that what we need to do again go to AWS go to I am over here click on I am and uh go to users click on test user because we need to assign that policy to the test user and go to uh add permissions over here so here you will find an option uh to like create in line policy or add permission so here I'm just going to click on ADD permission because we have already created a permission now we need to attach it so here I'm just going to click on ADD permission add user to group attach policy directly so I'm just going to select attached policy directly and here you will see the list of policies which exist so I'm just going to uh use the search like a test user allow s3x here you can see the policy so I'm just going to select this one click on next and then click on ADD permissions so now here you can see uh that for this particular test user and here is the green message which means policy has been added so this particular test user we have allowed the access to the S3 bucket and this policy has been attached to the test user which means that particular test user should be able to access the S3 buckets so I'm just going to open the other incognito mode uh where I have logged in as a test user so I'm just going to head over to my browser browser and I'm just going to open the test user console just give me a second and here you can see I'm just going to zoom in a bit over here so that you can see so this was the page when I have opened before I have assigned the permission to the test user and this was the error message which we were getting so now I need to refresh this page and this error message should be gone so I'm just going to click and refresh this page and here you can see the error message has gone and now the user will be able to view the buckets although there are no buckets which I have created but at least uh from the permission side you can see that error masses is no longer visible over here so this is how you're just going to create a user and assign a permission to that particular user although I have taken an example for S3 but the same concept can be taken to uh apply or the create a permission policy for any AWS resources all right so let's take a look back onto our slide and now you can relate how the IM users are created how the permissions are associated with those user the next concept which I'm just going to talk about is the groups so now uh you can also create a group and inside that group you can create a multiple users and that is also quite a useful feature so here again I'm using the root account and that root account is going to create a group which is a demo group so I'm just taking a very uh like hypothetical example over here but in a real time uh scenario like you might have a multiple users into your organization and you can divide those user in uh terms of groups so one group can have like a developer group one group can have a tester group and one group can have like product specialist or account manager so these are few example where you can create a group and you can assign users inside that particular group uh previously we have just created a test user without any group but here I'm just going to do one thing I'm just going to create a demo group and inside that demo group I'm just going to create a user which is a test user and then we are just going to assign a policy previously we have assigned a policy to test user but this time we are just going to assign a policy to the group so that any user which is present inside that group has a permission which we have created so instead of creating those permission specifically to users we can just create on the group level and by default the users which are present so here the test user is present inside the demo group so this particular test user is going to inherit those permission from the demo group so here again we just going to create this policy and then we are just going to test whether that particular user is able to access those policy uh S3 bucket or not so this is the example uh for a group which we are going to take it let's head over to our uh IM console and the first thing which I'm just going to do I'm just going to delete this permission which I have created for this particular test user so this is a test user and this is the permission so I'm just going to remove it remove policy that's done I'm just going to go on the left hand side and here I'm just going to click on user groups here I'm just going to click on create group here I'm just going to uh type the name so let's say demo group and then oh wait a second here we need to create a user create a group oh here it is so here this is the option create group so I'm just going to click on create group and here you can see the group is empty because there are no users inside that particular group and the permissions are not defined so we have not created any permissions we have just created a group so here click on this demo group and here click on ADD users and here we already have a test user so I'm just going to select the test user and then just click on add user and so let's click on this users group link once again and here you can see the demo group now has a one user but still the permissions we have not defined yet so we need to define the permission on a group level so again click on this particular group and here click on permissions and click on ADD permission and here click on attach policies because we have already created the S3 policy uh but before we attach a policy to the group let's go to incognito mode window where we have the test user uh let me open that one just give me a second here since we have removed that policy from test user and we have not yet assigned that policy to the group so which means uh this user doesn't have the S3 Pol uh s three view permission so let's refresh it and here you can see the error is coming over here again so what we need to do now uh again go here in the demo group and the demo group has the user test user so again go here attach policy click on this test user allow S3 bucket although I'm just use reusing this policy so it doesn't matter like what name you keep it on a policy you can reuse those policies so here I'm just going to select this one and click on ADD permission click on ADD permission and here you can see now this particular demo group has a permission to access the S3 so which means any user present inside this particular group which is a demo group should have a permission to access the S3 bucket and which we can verify it once again so again I'm just going to open the another window uh just give me a second and uh here it is so uh I'm just going to refresh this one because the test user now inheriting the policy from a group which is a demo group so I'm just going to refresh this one and here you can see that error message is gone and now the test user is able to access the S3 bucket and all perform any action which needs to be done on S3 so this is how you can control the access on a group level also so you need to C create a group inside the group create a uh or attach a user and then after attaching a user then you can also attach the policies which will be applicable on all the users inside that particular group so let's go back to the slide and see once again over here so here you can see so this was a root user which created a demo group inside the demo group we have created a test user and then for that particular group we have created this particular policy and once we have assigned that policy then this particular test user is able to access the S3 bucket so that's the like a very basic concept of I am user permission and user group which is quite useful for managing the access and the permission within the AWS Cloud environment
Info
Channel: Rahul Wagh
Views: 41,238
Rating: undefined out of 5
Keywords: AWS, IAM Roles, IAM users, User group, Add IAM user to group, Attach policy to group, create User group
Id: bO25vbkoJlA
Channel Id: undefined
Length: 26min 14sec (1574 seconds)
Published: Mon Oct 09 2023
Related Videos
AWS Organization for Account & Multiple Account setup : Step-by-Step Tutorial (Part-2)
Rahul Wagh
16K
AWS Assume IAM Role - Step by Step tutorial (Part-3)
Rahul Wagh
25K
AWS how to setup VPC, Public, Private Subnet, NAT, Internet Gateway, Route Table? - (Part-5)
Rahul Wagh
44K
AWS Lambda | Function URL | Environment Vars | Lambda Layers - Step by Step Tutorial (Part -17)
Rahul Wagh
23K
AWS Route 53 Course | Part-15
Rahul Wagh
26K
What is Bastion Host and why it is so important? - Step by Step tutorial (Part-6)
Rahul Wagh
16K
Mastering AWS Private Link(VPC Endpoint Service) | VPC Endpoints | Network LoadBalancer - Part 20
Rahul Wagh
12K
How to Set Up AWS IAM Identity Center and AWS Organizations | AWS Tutorial for Beginners
Tiny Technical Tutorials
22K
(ACM) AWS Certificate Manager Course | Route 53 | Load Balancer - Part 16
Rahul Wagh
19K
AWS IAM - Crash Course (Learn IAM in 1 hour!) | AWS Certification Tutorial
Enlear Academy
58K
AWS ALB (Application Load Balancer) - Step By Step Tutorial (Part -9)
Rahul Wagh
24K
AWS IAM guide for beginners
Hitesh Choudhary
30K
Mastering AWS Network Load Balancer | ALB vs NLB | Step by Step Tutorial - Part 18
Rahul Wagh
14K
Master AWS VPC Endpoint | Step by Step Tutorial | Part-19
Rahul Wagh
12K
AWS How to Launch an EC2 instance? - Step by Step tutorial (Part-4)
Rahul Wagh
10K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.