What will IAM users use to authenticate themselves when using the AWS CLI?
This time something easier. This time I show how to install AWS CLI 2, add autocompletion and possibility to use MFA from command line. Show
Simple doesn't mean short, however :) Also, the complexity of what will be done is growing through the tutorial. We will go through the whole process of preparing our CLI to work with reasonably secure way. All these steps might be found on AWS documentation, but in multiple documents. I used AWS documentation to check myself during work on this tutorial :) What it is about then?
So, let's get started! IAMFirst, we need to create a user with MFA enabled. I created standard user, I called him 0 (very creative) and I enabled programmatic access only. To do it, go to 1, click 2 menu and 3.For this tutorial I attached the policy directly to the newly created user, but DO NOT DO IT IN REAL WORLD! This user here is a prerequisite and we do not use it in real work. Maybe I'll write tutorial with best practices about users :) On the end of the user create process, I copied the credentials. Ok, user is created. Navigate to his configuration, click 4 tab and now it is time to enable MFA.The process is quite simple. Click 5 next to the setting called 6 (the red oval on the screen above).With 7 the process is almost instant. It is required that you have some MFA app installed (on your phone, not your laptop, where you usually login to the service; this should be a Multifactor Authentication!). There are many applications which can be used. Google Authenticator, Duo, to name two of them.So, select 7, and click 9.Here we can see what is needed. Installation of compatible app (and list of these apps is provided to you by AWS), then open your app, scan the code, and put two number sequences into proper fields. Done! So, we have created IAM User with MFA enabled. It is time to... Install AWS CLIIn this tutorial I show how to install AWS CLI on Linux. In fact, CLI can be installed on Mac (with brew or from command line) or Windows (with Chocolatey or from Powershell), or as a Python package (with pip) as well. First, we need to download the package. Please remember, we work on the latest version here. Commands might be different when specific version is in scope.
Enter fullscreen mode Exit fullscreen mode Before we unzip the file, we will do... Integrity verificationWe do it to make sure that this is valid and proper package. We will verify the PGP signature of downloaded file with the one provided by AWS. I assume you have gpg installed, if not, please install it. First, we need to create public key file using the snippet provided by AWS. So, we simply create a text file and paste there this code:
Enter fullscreen mode Exit fullscreen mode (this is available in public documentation on AWS pages. Please verify if nothing changed.) Import the signature (as I am very creative, I named my file... 0)
Enter fullscreen mode Exit fullscreen mode The output should be like this:
Enter fullscreen mode Exit fullscreen mode Now it is time to download the signature from remote:
Enter fullscreen mode Exit fullscreen mode We are ready to verify the package
Enter fullscreen mode Exit fullscreen mode The output should be similar to
Enter fullscreen mode Exit fullscreen mode Now it is the time to unzip the file.
Enter fullscreen mode Exit fullscreen mode All files are unpacked to 1 directory. We can remove not needed files now.
Enter fullscreen mode Exit fullscreen mode It is time to do the installation.
Enter fullscreen mode Exit fullscreen mode In my case (Ubuntu 20.04), CLI was installed in 2. As I have path configured, I can easily use 0Enter fullscreen mode Exit fullscreen mode So, this step is done too! Auto-completeWell, AWS CLI is cool, but typing all these long commands in the terminal... no, thank you. Example: 1Enter fullscreen mode Exit fullscreen mode Well, it is not comfortable. But we can have auto-completion! Let's configure it now (for bash on Linux). First, AWS recommends to check if we have one specific piece of software and if this piece is in proper directory. Let's check 2Enter fullscreen mode Exit fullscreen mode In my case all is ok: 3Enter fullscreen mode Exit fullscreen mode If it isn't for you, you have to find the executable, and make sure it is in your PATH. In case of bash, add to your 3 (or 4) this line 4Enter fullscreen mode Exit fullscreen mode And reload it 5Enter fullscreen mode Exit fullscreen mode And that is it! Let's type 6Enter fullscreen mode Exit fullscreen mode And and press < TAB > twice. First, it will complete to 5. Hit < TAB > once more: 7Enter fullscreen mode Exit fullscreen mode Perfect. CLI configurationIt is time to configure our credentials. Type 8Enter fullscreen mode Exit fullscreen mode Pass Access Key for the user we created in first step, next Secret Access Key, for Region use your default one (for me it is 6), and the output can be left empty.And... that's it! Let's test it! 9Enter fullscreen mode Exit fullscreen mode Hint: This is the fastest way to check if your credentials work :) And... they work! We saw bucket list (or emplty list). But hey! One moment please! What about... MFA??? Where is it? Well... Good catch! MFA works, but only for interactive login (and during the login process). Now you think "so... why? Why we did it?" My answer is: Surprise! I promised to write the tutorial for the IAM Users, so... now it will come! :) The easy way to work with MFA from CLIIAM Policy with conditionsThe point here is that our policy which we used does not expect to control if session is or not using MFA. As you remember, during the assignment of the device, we saw the message, which explained it will be used during the login (in fact, interactive login to the GUI console). But we have a way to force IAM to control it for CLI as well. First, we need to create new policy. Go to 1 service, 8, click 9 button.Let's use visual editor for this case. Select 0 for 1. 2 for 3, and 4 for 5, like on picture below.This is the way, how standard policy looks like. Now, we will add condition for MFA. Open the 6 field and check 7. And that's it!Finish the policy, and save it. I named mine 8.The final policy looks like this: 0Enter fullscreen mode Exit fullscreen mode Now in 9 create a new group, and attach our 0 user and 8 policy.Last step is to remove previously attached policy (which we attached to the user). This way the user will use only these policies which are attached to the group. What we will see when we try to run our previous command in CLI? 9Enter fullscreen mode Exit fullscreen mode Yes, we cannot list the buckets. 2Enter fullscreen mode Exit fullscreen mode Access from CLI with MFAFirst, we need to get the information about ARN of our MFA device. Go to IAM user, 4 and find the 6. Previously it was empty, now you should see the ARN.Copy this ARN. In CLI type 3Enter fullscreen mode Exit fullscreen mode Where:
You should receive something like this: 4Enter fullscreen mode Exit fullscreen mode Ok, you even see when you access will expire! Now try 9Enter fullscreen mode Exit fullscreen mode If you configured everything correctly, it will show the buckets list. The recommended way to work with MFA from CLIWhile it works, and does the job, it is not the best practice. It works for small scale, but in properly configured environment we should use IAM Roles. When you executed 4, something happened. 5 directory was created (if you did it for the first time) and the default profile was configured.Now we will do a lot of modifications. First, please remove some stuff we did earlier:
We don't need them anymore. Now we will create an IAM Role, and we name it 6 (creativity, remember!)As you can see, I simply added S3FullAccess policy. We need to modify 7 and pass there our user.Now we are ready do this:
It is time to modify our 0 6Enter fullscreen mode Exit fullscreen mode in 6 section we defined what role we want to assume ( 2), as which user ( 3) and also we added 4, which do great job. Let's see it on this example: 7Enter fullscreen mode Exit fullscreen mode we get the info about our default user. 8Enter fullscreen mode Exit fullscreen mode And here about the assumed role by the user. But! We had to provide the token! Exactly what we expected. 9Enter fullscreen mode Exit fullscreen mode Your pure user is not able to list buckets, but your profile is. It means that the user has to assume the role in order to operate. Is this better practice?Yes, it is. For multiple reasons.
SummaryOn the end, we should have:
With this setup, I repeat it, but this is imperative to understand, the IAM User is not able to perform any action. It is used as a "carier" for the IAM Role we created. Why we created an IAM Policy thenI am sure you ask yourself about it. Why we created the Policy if we removed it very quickly. Well, I did it on purpose. It is learning by doing. When you created this policy by yourself, attached to user, you probably had the thought in your mind "but this will not work very well! I can easily workaround it and do not use MFA at all!". If you had this thought, than I achieved my goal, and you better understand the approach to programmatically access the AWS services with IAM Role. Which AWS CLI command is used to authenticate to AWS?If you use profiles to authenticate commands using the AWS CLI, specify the --profile option followed by the profile name to verify that the calls authenticate using MFA. For example, this command uses the default profile credentials and isn't authenticated with MFA.
What will IAM users use to authenticate themselves?As an IAM user, provide your account ID or alias, and then your user name and password. To authenticate from the API or AWS CLI, you must provide your access key and secret key. You might also be required to provide additional security information.
What authentication method will you use to access your AWS resources remotely through the AWS command line interface?AWS CLI requests are authenticated through access keys.
When using Amazon IAM what authentication methods are available to use?Authentication Workflow. There are two authentication types present in the aws auth method: iam and ec2 . With the iam method, a special AWS request signed with AWS IAM credentials is used for authentication.
|