Amazon Web Services (AWS) gives us a handy service to manage users, in the form of AWS Identity and Access Management (IAM). In this article, we'll cover how to create a group, how to create a user to place inside of the group, then how to add a newly created policy to manage permissions to that group.

Bryce McDonald

Bryce is an expert systems engineer with the majority of his experience in Powershell, automation, DevOps, and cloud infrastructure. He is based in Kansas City and you can reach him on twitter @_brycemcdonald or on his blog brycematthew.net.

AWS IAM allows us to create users, groups, and manage their permissions with policy documents (which are really just JSON formatted permissions). If you're familiar with user management, the AWS controls should feel fairly intuitive. But even if this is the first user management service you've used, it is very easy to get up and running with it quickly.

Note that to follow this guide, you first have to install the AWS Tools for PowerShell.

Creating a group ^

The first step in our user management task is to create a group for our new user to go into. This will allow us to apply permissions to a number of users, rather than having to manage each user's permissions individually.

To do this with AWS, we'll simply use the New-IAMGroup cmdlet. We'll want to specify the GroupName parameter, which is what we'll name our group. Optionally, if we want to try and keep our users and groups organized (e.g.., by location) we can use the -Path parameter to specify a location within IAM for that group to go. Let's go ahead and create our new group now.

Creating a user ^

In a similar process as above, we'll now create a new user for our group. In this instance, we'll create our first engineer account, and we'll place it in a similar "/chicago/" path as before but this time specifically for users.

Adding a user to a group ^

Now that we have our user and our group, let's put them together.

Since this cmdlet doesn't return an object, we can verify this was successful by querying the group for its users, as I'll show you below. This result will return the usernames of all users in the group we created, "chicagoEngineers."

We could compare this returned object to our response from when we created the user, and we can easily see that the Amazon Resource Name (or ARN, a unique identifier for AWS objects) matches.

Creating a group policy ^

Now that we have created our user and set up our group, let's move forward with the fun part: creating and assigning permissions to the group.

As previously mentioned, the permissions we'll create will eventually be in JSON format. If you're newer to JSON or AWS policies, you may prefer to use the visual editor to create the permissions. This will dynamically generate the JSON notation for us as well as provide you with a GUI of all the permissions you can assign to your users.

To create the policy with the visual editor, we can log into the AWS Management Console, navigate to the IAM service, and select Policies.

Select Policies in the AWS Management Console IAM

Select Policies in the AWS Management Console IAM

After selecting Policies, click Create Policy. From here, we'll select all the permissions we want to give to our group. For our example, we'll give all permissions to the AWS SageMaker and Application Auto Scaling services. We'll select SageMaker as the service, give a wildcard for all manual actions, and we'll also give permissions to All resources as seen in the screenshot below. Once we've done that, we'll click Add additional permissions to add the Application Auto Scaling service to our policy.

Add additional permissions

Add additional permissions

Once we've set up our Application Auto Scaling permissions, we should end up with a screen that looks something like this:

Creating our group policy with the visual editor

Creating our group policy with the visual editor

If we click the JSON button, it will present us with the raw JSON for our policy, which we can copy and place into a file on our local machine. I like to save mine with a descriptive name, so I'll save this into a new file called "sagemaker-and-app-autoscaling-full.json"

Now we're ready to apply our new Group Policy. We'll use the Write-IAMGroupPolicy cmdlet to accomplish this task, specifying a few parameters.

-GroupName: The name of the group to apply the policy to.

-PolicyName: This is the name of the policy we'll create. Amazon recommends a naming convention of <templatename>+<groupname>+<date>. For us, that would mean we'd use the -PolicyName of sagemaker-and-app-autoscaling-full+chicagoEngineers+20180627

-PolicyDocument: This refers to the JSON file we just created. We do need to use the Get-Content -Raw command to format the JSON in the way the AWS PowerShell module expects it.

PS> Write-IAMGroupPolicy -GroupName "chicagoEngineers" -PolicyName "sagemaker-and-app-autoscaling-full+chicagoEngineers+20180627" ‑PolicyDocument (Get-Content -Raw sagemaker-and-app-autoscaling-full.json)

Again, we can double-check we've successfully applied the policy by using the following command and viewing the response.

Viewing the IAM users and groups in the AWS Management Console ^

It's great we've done all of this with the command line, and it feels awesome when we get back the responses to our Get-* statements with AWS PowerShell. Sometimes though, it feels really good to go view our changes we've made from within the GUI. To do this, we'll need to log into the AWS Management Console and select the IAM service.

Once we've done that, we can select the Users tab to verify creation and placement of our user "chicagoEng01" in the group "chicagoEngineers."

User creation verification

User creation verification

Once we click on the user, we'll then be able to see any policies attached to the user. From this screen, we can also see where the policy is applied from (in our case, it's an "inline policy from group chicagoEngineers").

Policy verification

Policy verification

Summary ^

As you've now experienced, it's very quick and easy to get up and running with AWS IAM. In this short while we've created a user, a group, a policy, and attached them all together. Although this was only an example in a simple environment, you can quickly scale user and group creation for any size organization. Now that we've done the basics, we can create more complex and robust policies, more intricate groups, and users for everyone in our organization. I hope you'll soon be fully managing AWS IAM with PowerShell.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

1+
Share
1 Comment
  1. Joe Juette 1 year ago

    I have built a script that will build a user using powershell. I would like to do some automation around Get IAM user list by comparing Passwordlastused attribute but I am a bit stuck. I am essentially trying to delete accounts older than a week. Have any tips? Thanks
    Joe

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account