Simplified User Management for AWS

Managing users that access and administrate your Amazon Web Services resources can rapidly become a disorganized and tedious process that includes a variety of tasks: Create or delete users, grant or revoke privileges, grant or revoke temporary third party access, check that company requirements are met, etc.

In this article, we explain how to simplify user management while enforcing AWS best practices using awless, a powerful command line interface (CLI) for AWS. awless is an open source project that was released in February 2017 and quickly gained traction, with more than 3k stars on GitHub and attracting praise from key AWS evangelists. We tour several features of awless including its templating engine and give suggestions for further automation.

Are you root?

When you register, AWS gives you root privileges. All organizations should better create users and roles, as the best practice is not to use the root account.

Suppose we just signed in AWS and we have a root account. We can use awless to create a new user with administrator rights:

> awless create user name=john

Although the user exists, john can’t log in as his access key does not exist yet. We can use awless to generate an Access Key ID and a Secret Access Key (CLI and SDK access tokens) and save them with a profile name, for example admin:

> awless create accesskey user=john
[...]
Do you want to save in your .aws/credentials? (y/n) y
Entry name in .aws/credentials? [default] admin

john can log in, but he is not admin yet. Create an administrators group and promote it with the official AWS AdministratorAccess policy:

> awless create group name=administrators
> awless attach policy arn=arn:aws:iam::aws:policy/AdministratorAccess group=administrators

Add john to the administrators group:

> awless attach user name=john group=administrators

Configure awless to use this newly created admin profile by setting aws.profile key with:

> awless config set aws.profile admin

Now, verify your identity with:

> awless whoami

Create groups & policies

AWS manages fine-grained accesses on services and resources using policies. Basically, a policy explicitly lists the permissions that can be applied to users, groups, roles, or resources.

As seen in the previous section, the recommended steps to give permissions to users are:

  1. create a group,
  2. attach policies (i.e. permissions) to the group,
  3. add users to the relevant groups.

Suppose you are a startup using AWS and you want to organize your user’s permissions. First, we create a group managers, that will:

  • have EC2 (infrastructure) readonly access
  • have IAM (identity access management) readonly access
  • have S3 (storage service) readonly access
> awless create group name=managers
> awless attach policy service=ec2 access=readonly group=managers
> awless attach policy service=iam access=readonly group=managers
> awless attach policy service=s3 access=readonly group=managers

Secondly, we create a group devops, more DevOps oriented, that will:

  • have RDS (databases), EC2 and Lambda (serverless functions) full access
  • have IAM readonly access
> awless create group name=devops
> awless attach policy service=rds access=full group=devops
> awless attach policy service=ec2 access=full group=devops
> awless attach policy service=lambda access=full group=devops
> awless attach policy service=iam access=readonly group=devops

The marketing team only needs to access one S3 bucket. Let’s create a custom policy to access this specific bucket (marketingExampleBucket).

So far, we have only used awless with one-liner commands. A powerful feature of awless is its templating engine.

Let’s create marketing-group.aws a template file (i.e. basically a sequence of one-liners) with the following content:

# Filename: marketing-group.aws
marketingPol = create policy name=AllowMarketingBucket effect=allow resource=arn:aws:s3:::marketingExampleBucket/* action=s3:PutObject,s3:PutObjectAcl,s3:GetObject,s3:GetObjectAcl,s3:DeleteObject
create group name=marketing
attach policy group=marketing arn=$marketingPol

Run this template to create the marketing group:

awless run marketing-group.aws

Registering a new user

So far, as an administrator, we have created groups and policies.

Let’s now create a new user named alice, manager of the DevOps team, with the correct privileges. We follow the official canonical process for creating an IAM user. First, create the user:

> awless create user name=alice

Then, generate the access keys (used as CLI and SDK credentials) for the new user:

> awless create accesskey user=alice
****************************************************************
aws_access_key_id = ABCDEFGH1234EXAMPLE
aws_secret_access_key = AbcDefGhiJkLm1no2pqrs3tuv4wx5yzAbcDefGh/y
****************************************************************

Transmit (ex: using a flash drive) the sensitive credentials to the new user.

Now we give permissions to alice by adding her to the appropriate groups:

> awless attach user name=alice group=devops
> awless attach user name=alice group=managers

If you want to give alice access to the AWS Web console, run:

> awless create loginprofile username=alice password=PutHereATemporaryPassword password-reset=true

Thanks to the password-reset=true parameter, the AWS console will prompt the user to set a new password.

Inspecting existing users

awless can also list resources and show their relations. Let’s explore our users with:

> awless list users 
> awless list users --sort created
> awless ls users --format csv

Or inspect a resource and its relations (users, groups, policies, …) with:

> awless show alice
> awless show managers

Note that the awless show command is clever enough to resolve resources with only a name, although it could be any references like an id or arn.

Revoking a user

When Alice quits her job, we want to delete her as an AWS user. First, we remove her from her groups:

> awless detach user name=alice group=devops
> awless detach user name=alice group=managers

If appropriate delete the AWS console login profile with:

> awless delete loginprofile username=alice

Delete alice’s access key:

> awless delete access key id=ABCDEFGH1234EXAMPLE name=alice

Then, you can delete the alice user by running:

> awless delete user name=alice

Deleting resources is notoriously difficult with AWS due to dependency violations. Upcoming version of awless will include a --cascade flag to perform in one command a full deletion of a resource with dependencies, presenting the full description of the action necessaries (delete, detach, etc…) with the usual confirm prompt.

Using awless templates

We would like the creation of a user to be more scriptable. As seen previously, let’s create a template file, this time to fully create a new devops manager.

# Filename: new_devops_manager.aws
create user name={username}
create accesskey user={username}
create loginprofile username={username} password={temp.password} password-reset=true
attach user name={username} group=devops
attach user name={username} group=managers

In this template file you can see the use of holes values {...} which represents named missing data to be filled in dynamically at run time.

Run this template, providing the values for bothusername and temp.password holes, with:

> awless run /home/jsmith/new_devops_manager.aws username=Alice temp.password=azerty

As usual, awless never writes on the cloud without your prompt confirmation.

Note that if you want to revert what you just ran, you can use:

> awless revert 01BSEB9CJV4GFHCW9EC1GWX7J0

The revert reference ID can be found at the end of you awless run command or through theawless log output.

Installing awless

Ready to try it yourself?

awless is available through:

You can also easily install completion for bash or zsh.

Check that awless is properly installed by running:

> awless version

Conclusion

AWS management of users and permissions can be cumbersome. awless eases the process with powerful scriptable commands while enforcing AWS best practices.

Have a look at many more features at the awless repository!

Written by François-Xavier Aguessy, Henri Binsztok and Simon Caplette.