AWS has two different types of users, root user and IAM users. Root users are associated with the email used to sign up for the account and have full permissions. Each account has one root user from which we can create additional IAM users that have limited control of the account specified through specific policies. The first thing we will be doing after signing up for AWS is logging into that user, locking down access to the account from the root user's password with two factor authentication, and creating a new temporary user that has the privileges need to run our automation scripts.
First sign-in to the AWS console via this link. Enter the email and then password you used to sign up for AWS. At the first screen there is a box to find services and type in "IAM" and hit enter. This is the only section of AWS that you will ever have to see again.
First thing we are going to do is "Activate MFA on your root account" for security. Click on that and click on "Manage MFA" then "Continue to Security Credentials". Next select the second box down called "Multi-factor authentication (MFA)" and then "Activate MFA". To enable MFA, you will need an application like Google Authenticator. Install that on your cell phone and then hit continue with "Virtual MFA device" then select "Show QR code" in box. Go on to your cell phone and open Google Authenticator and add an account. There you will find an option to scan the barcode and do that with the one shown on screen. A 6 digit number will appear. Enter that in "MFA code 1" box, wait ~20 seconds, and then enter the second code in box 2. Now you have your account protected with MFA and we can proceed to create IAM users to deploy infrastructure with.
Next we will need to create a temporary user to provision the infrastructure with. IAM users can make changes on your account as long as they have the proper permissions which are given to them via policies. To create these users, on the left sidebar of the screen, select "Users" and then on the top bar select "Add user". Give your new user a name like "AdminTemporary" as we will not be leaving this user active when we are done provisioning infrastructure. Next select "Programatic access" which should allow you next to select "Next: Permissions".
Note: If you are going to be making changes to your account frequently, you will also want to select "AWS Management Console access" but since we are going to be provisioning everything via API calls, you do not need it in this case.
Next select "Attach existing policies directly" and then in the drop down, click the checkbox next to the top item: "AdministratorAccess" policy. Because the keys that we are going to generate are going to have total control over your account, this is why we are creating a temporary user that we will at the end of this tutorial destroy so that only your root account with MFA is allowed to make changes to your account. Select "Next: Tags" on the bottom right then "Next: Review" then "Create User". Now you should see a screen that will give you the keys needed to run automation scripts that will make changes to your account that look like this:
Copy both the Access key ID and the Secret access key and replace the contents (XXX...) with your keys then copy (ctrl + c) and paste (right click) the command into your shell (terminal) line by line and hit enter. What this will do is persist your AWS keys on your computer and make them available for use later. These keys are sensitive such that if someone gained access to your computer, they can use them to manipulate your AWS account so please keep your computer safe. At any point, you can revoke these keys by deleting the identity you just created in your AWS account.
# Mac - Post Catalina OS (version >=10.15)
echo 'export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXX' >> ~/.zshrc
echo 'export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXX' >> ~/.zshrc
source ~/.zshrc
# Linux + WSL + Mac Pre-Catalina (version <10.15)
echo 'export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXX' >> ~/.bashrc
echo 'export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXX' >> ~/.bashrc
source ~/.bashrc
To validate that you set the permissions properly, run:
# Dependencies
# Mac
brew install python
# Linux / WSL
sudo apt install
# The for either system
pip3 install awscli
aws sts get-caller-identity # The output of this command should return your account id
If the above doesn't work properly, you can bypass permanently setting the credentials by running this to temporarily set the credentials:
aws configure
AWS Access Key ID []: YOUR_12_DIGIT_ACCESS_KEY_ID
AWS Secret Access Key []: YOUR_SECRET_ACCESS_KEY_ID
Then run the aws sts get-caller-identity command again.