Help for the VSCode editor.
-
Information only
-
What is the exact version of the CLI installed on the iac-server?
Run the following
aws --version -
Which command should be used to interact with Identity and Access Management in AWS using the CLI?
If you don't already know the answer you can try each of the given answers, e.g
aws identity helpuntil you find the one that does't report "aws: error: argument command: Invalid choice". -
Which subcommand with iam can be used to list all the users created in aws?
As with the previous question, try e.g.
aws iam user-list helpuntil you don't get "aws: error: argument operation: Invalid choice" -
Now, let's learn how to make use of the mocking framework used in the labs.
Run: aws iam list-users
Does it work?No -
Now, run the same command but with the --endpoint http://aws:4566 as the option
aws --endpoint http://aws:4566 iam list-usersWe need this argument as the default for
awscommand is to contact the real AWS. In these labs, we use an AWS simulator which is running in a docker container. We use--endpointto redirect aws commands to that container. -
How many IAM Users do you see listed now?
From the output of the command you ran in the previous quesiton, you can see that
Usersis a JSON array containing two users. -
Now let's add a few more users! To add more users, we need to make use of the create-user sub-command.
However, we also need to pass in a mandatory option with this command for it to work?
Which option should we use?Refer to the documetnation. Mandatory options are the ones not enclosed in square brackets in the Synopis paragraph, which lists the sub-command first (
create-user) then the options. -
Create a new user called mary using the AWS CLI.
aws --endpoint http://aws:4566 iam create-user --user-name mary -
Now, inspect the newly created user mary and find out its ARN (Amazon Resource Name).
This information can be found from the output of the previous command to create the user, or you can run the
list-usersCLi command again. -
What is the default region that has been configured for use with the AWS CLI?
AWS CLI configuration is located in the logged-in user's home directory under
.aws/configcat ~/.aws/configFind the
regionsetting.Note that
~is an alias for "my home directory" -
What is the aws_access_key_id used in the configuration?
AWS CLI credentials are located in the logged-in user's home directory under
.aws/credentialscat ~/.aws/concredentialsfigFind the
aws_access_key_idsetting.Note that
~is an alias for "my home directory" -
What is the value of aws_secret_access_key used?
From the output of the command you ran in Q12, find the
aws_secret_access_keysetting. -
Now that we have a few users created, let's grant them privileges. Let's start with mary, grant her full administrator access by making use of the policy called AdministratorAccess.
- Make use of the subcommand
attach-user-policy. - The ARN of the AdministratorAccess policy is
arn:aws:iam::aws:policy/AdministratorAccess.
- Look up the sub-command in the documentation
- Note the two required options. We need to use both of them.
aws --endpoint http://aws:4566 iam attach-user-policy \ --user-name mary \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess - Make use of the subcommand
-
jack and jill are developers and are part of a project called project-sapphire.
Create a new IAM Group called project-sapphire-developers.- Use the subcommand create-group to create the group.
- Look up the sub-command in the documentation
- Note the single required argument - the name of the group.
aws --endpoint http://aws:4566 iam create-group \ --group-name project-sapphire-developers -
Add the IAM users called jack and jill, who are developers to the new IAM Group called project-sapphire-developers.
- Use the subcommand
add-user-to-groupto add users into the group.
- Look up the sub-command in the documentation
- Note the two required options. We need to use both of them.
- Note that we will need to run the command twice, once for each user.
aws --endpoint http://aws:4566 iam add-user-to-group \ --group-name project-sapphire-developers \ --user-name jack aws --endpoint http://aws:4566 iam add-user-to-group \ --group-name project-sapphire-developers \ --user-name jill - Use the subcommand
-
What privileges are granted for jack and jill who are part of the group project-sapphire-developers?
- Check for their permissions individually and the ones granted to the group.
A user's permission is determined by their own directly attached polices, combined with any inherited from any groups they are a member of
There is a subcommand for each case:
- list-attached-user-policies for checking a user
- list-attached-group-policies for checking a group
aws --endpoint http://aws:4566 iam list-attached-group-policies \ --group-name project-sapphire-developers aws --endpoint http://aws:4566 iam list-attached-user-policies \ --user-name jack aws --endpoint http://aws:4566 iam list-attached-user-policies \ --user-name jillAre there any attached policies in the output of any of the above three commands? If not, then neiter have any access.
-
Both jack and jill need complete access to the EC2 service.
- Attach the
AmazonEC2FullAccesspolicy with the ARN:arn:aws:iam::aws:policy/AmazonEC2FullAccessto the groupproject-sapphire-developers.
By adding a policy to the group that both members belong to, they will both inherit the permissions.
- Look up the sub-command in the documentation
- Note the required arguments
aws --endpoint http://aws:4566 iam attach-group-policy \ --group-name project-sapphire-developers \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess - Attach the