AWS - IAM

Introduction to AWS Identity and Access Management

AWS CLI and SDK

In this lesson, you’ll learn how to streamline your AWS workflows using the AWS Command Line Interface (CLI) and AWS SDKs. We’ll cover:

  1. Creating an IAM user with console and programmatic access
  2. Configuring the AWS CLI on your local machine
  3. Integrating AWS SDKs within your applications
  4. Organizing permissions using IAM groups

For more details, refer to the AWS CLI User Guide and the AWS SDKs & Tools.


1. IAM User with Access Keys

To enable both console and programmatic access, create an IAM user (e.g., John) and generate an Access Key ID and Secret Access Key. These credentials allow John to authenticate with AWS services via CLI or SDKs.

The image is a diagram illustrating IAM user access keys, showing how a user named John accesses AWS services through the AWS Management Console, CLI, and SDK using specific credentials.

John can now:

  • Execute AWS CLI commands
  • Use AWS SDKs in applications to call AWS service APIs

Warning

Keep your Access Key ID and Secret Access Key secure. Never commit them to version control or expose them in client-side code.


2. Configuring the AWS CLI

Install the AWS CLI, then run:

aws configure

You’ll be prompted for:

  • AWS Access Key ID
  • AWS Secret Access Key
  • Default region name (e.g., us-east-1)
  • Default output format (e.g., json)

Example:

$ aws configure
AWS Access Key ID [None]: AKIAS7790KQGK63WUK6T5
AWS Secret Access Key [None]: kkQEiBjSKrDkWBLO9G/JJKQWIOKL/CpHjMGyoiJWW
Default region name [None]: us-east-1
Default output format [None]: json

Note

Credentials and configuration are stored in:

  • ~/.aws/credentials
  • ~/.aws/config

These files are used by both AWS CLI and AWS SDKs.

Now, any AWS CLI command you execute uses John’s credentials, targets the specified region, and returns JSON output by default.


3. Using AWS SDKs in Applications

AWS SDKs enable you to interact with AWS services programmatically. Below is a high-level flow for a browser-based app using the AWS SDK for JavaScript:

The image is a diagram illustrating the interaction between a browser script using the Amazon SDK for JavaScript, Amazon Polly, and Amazon Cognito, showing the flow of requests and responses.

  1. The browser script initializes the AWS SDK with temporary credentials (often retrieved via Amazon Cognito).
  2. It calls an AWS service API (for example, Polly’s SynthesizeSpeech).
  3. AWS processes the request and returns a response, which the application then handles and renders.

Example: AWS SDK for JavaScript (v3)

import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
import { fromCognitoIdentityPool } from "@aws-sdk/credential-provider-cognito-identity";
import { PollyClient, SynthesizeSpeechCommand } from "@aws-sdk/client-polly";

const REGION = "us-east-1";
const IDENTITY_POOL_ID = "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

// Initialize credentials
const credentials = fromCognitoIdentityPool({
  client: new CognitoIdentityClient({ region: REGION }),
  identityPoolId: IDENTITY_POOL_ID,
});

// Create Polly client
const polly = new PollyClient({ region: REGION, credentials });

async function synthesizeText(text) {
  const command = new SynthesizeSpeechCommand({
    OutputFormat: "mp3",
    Text: text,
    VoiceId: "Joanna",
  });
  const response = await polly.send(command);
  // Process response.AudioStream
}

4. Managing Permissions with IAM Groups

IAM groups simplify permission management by allowing you to assign policies to multiple users at once. Follow these best practices:

Best PracticeDescriptionExample
Descriptive NamesUse clear, role-based group namesDevelopers, DataScientists, Admins
Granular PoliciesAttach least-privilege policies to groupsAmazonS3ReadOnlyAccess
Role SimilarityGroup users with similar responsibilitiesMarketing, Engineering, Finance

The image is a diagram illustrating the concept of IAM (Identity and Access Management) Groups, highlighting aspects like simplifying user management, using descriptive names, grouping similar roles, and applying policies.

Demo: Creating an IAM Group

  1. Sign in to the AWS Management Console and open the IAM console.
  2. In the navigation pane, choose User groupsCreate group.
  3. Enter a group name (e.g., MarketingTeam).
  4. Attach one or more policies to grant required permissions.
  5. Add existing users (like John) to the group.

Once created, every user in the group inherits the attached policies automatically.


Additional Resources

Watch Video

Watch video content

Previous
Demo Create IAM User